IPs being blocked

M

maira

New member
Joined
Jan 3, 2024
Messages
4
Hi, we are really new to DireactAdmin and we are going crazy about our customers IP being blocked.

They can be blocked by different systems, and we have to search everywhere what produced the IP to be blocked:

  • Brute force monitor
  • CSF
  • Imunify 360
  • Modsecurity
Is there any plugin for directadmin or whmcs that can find which one of this systems blocked the IP, and can search for the logs regarding the issue, so we can easily inform our customers how to fix it?

Or can you guide us, where to look in the logs for each one of them, to see if can create something that would look in all of them at the same time?
Sinceresly thanks!
 
Hello.
Mostly, at least what we experience, is that users get blocked by either using wrong DA credentials or using wrong e-mail credentials.

So in our case most blocks are done via the DA BFM, which logs and reasons you can see in the DA panel as admin under Brute Force Monitor, or the CSF/LFD Firewall.
I don't know if that log can be seen in the plugin, but mostly can be seen in the /var/log/lfd.log file.
Especially if you are new to DA I would -not- disable e-mail messages of CSF, because CSF will send you a mail if it blocks an ip temporarily or definately.

As for Immunify 360 I don't know, I don't use that. Might have some logs in the /var/log/immunify360 directory, but I'm not sure.

Modsecurity does not use ip blocks. It just blocks access to some things or thrown an error so a hacker can't abuse something, it does not have an ip blacklist as far as I know.
 
Besides the IPs being blocked for using wrong credentials, my customers are being blocked by modsecurity when they upload a file in wordpress, or the webmail, because of some strange rules against Wordpress...

I have to search in those four places if its blocked and for some of them to search in the logs to find out why it was blocket, so I can tell my customer what made the IP to be blocked so he can stop this behaviour, fix the website, or tell his own users.
 
ModSec OWASP ruleset (as also the other, just dont remember the name) were a PITA for us for monthes. Finally, we dropped them, because of the mass of false-positives and time needed for finding the correct rules. Better to use just own custom rules if really needed. Beside that, it makes the sites slower. I would drop it again without regard.
 
You must log in or register to reply here.
Back
Top