Improving IP Blocking for Enhanced Security in DirectAdmin

Sharif

Sharif

Verified User
Joined
May 21, 2021
Messages
40
I’ve noticed that some IP addresses aren’t being blocked even after exceeding the retry limit set in my security settings, allowing more login attempts than I’d like. To strengthen the server’s security, I want to ensure that IPs are consistently blocked after a specific number of failed login attempts.

Could anyone share advice on the following?
  1. Configurations within DirectAdmin that might be missing or need adjustment to enforce IP blocks more reliably.
  2. Recommendations for using tools like fail2ban or others that could add extra protection against persistent IPs attempting unauthorized access.
Any insights on configuration settings or additional tools to help monitor and block repeated attempts effectively would be greatly appreciated.

Thanks for your support!
 
I mean the basic IP blocking feature isn't working I set it to 3 times failed login to be blocked, but it does not get blocked.bf.png
 
exlhost said:
Are you using CSF ?
Click to expand...
Yes, I am. Is there a setting I missed? I want everything to be blocked automatically, but it seems there is still an issue with blocking it.

The Brute Force Monitor indicates it isn’t blocked, as all failed attempts were from non-users trying to snoop.
 
Last edited:
maybe this helps
micheld

Thread 'Firewall - csf bruteforce not working properly and high CPU use'

I don't have full confidence in how bruteforce blocking to the firewall works.
I use: csf v14.17 and directadmin Version 1.642 on Centos 7 64bitt.

In the brute force i see In Failed Logins on the webinterface:
212.70.x.x 4168 2022-09-16 17:59 2022-09-17 08:08 (block yes)
5.34.x.x 3085 2022-09-15 18:11 2022-09-18 16:28 (block yes)

So the ip 212.70.x.x. have login wrong for 4168 times. I like to stop this on 150 times and block.

In the block list on brute force list i see 364 items.
When i check the firewall i see on csf.deny, the IP address deny file...
 
You could also check this:
Starting from DirectAdmin version 1.61.0, the CSF integration is done directly. New installs will have CSF automatically installed and BFM autoblock covered if installation isn't customized to disable them.
#
To activate, remove the following files:

/usr/local/directadmin/scripts/custom/block_ip.sh
/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
/usr/local/directadmin/scripts/custom/show_blocked_ips.sh
/usr/local/directadmin/scripts/custom/unblock_ip.sh
 
You must log in or register to reply here.
Back
Top