Need some basic advice on firewalls / CFS / Brute force Monitor

B

BooDaddy

Verified User
Joined
Feb 20, 2009
Messages
46
I need some basic advice on how to stop bruteforce attacks on my machine. I haven't been compromised, but I am tired of seeing MASSIVE amounts of attempts on my machine coming from China.

I am currently using the built in Brute Force Monitor in DA right now and its doing well, but I am not 100% sure on how to block an entire range of IPs using the block_ips.txt file.

I have found this list: http://www.wizcrafts.net/chinese-iptables-blocklist.html and I was wondering if I could just copy and paste that entire list (containing Ip ranges with /24 and /16 and such) into the blocked_ips.txt list.
Am I able to manually type in an ip like this for example: 100.200.300.000/24 into the blocked_ips.txt list and it block the entire /24 range?

Also, I am considering installing CSF since I have seen alot of recommendations on it. I have searched the forums for a how-to guide, but I cannot find one. I didn't want to install it incorrectly in DA. Does anyone have a link bookmarked they could share for a how-to on installing CSF on my DA machine?

Thanks alot!
 
I'm using CSF as well. Installing it is really simple. Check out their own install: http://www.configserver.com/free/csf/install.txt

When you run the install.sh it will detect a DirectAdmin environment and it will install as a plugin and will show up in DA.

Under the Firewall Configuration, the setting CC_DENY is where you can list counties. I've listed CN,HK,TW,KR (china/hong kong/taiwan/south-korea). I've chosen these countries based on the attacks I had.

I believe it uses this service: http://www.ipdeny.com/ipblocks/ - you can see all country codes there too. Note that for one country alone it uses many ranges and when restarting the iptable rules it takes a few seconds (depending on cpu speed) to add them all.

Notes for CSF in general: really look at each setting in the config. Its long, but you gotta know whats going on on your system.
 
Last edited:
Thanks for the info. I have decided to install csf.
Heres what I did, can someone verify this was correct?

1. Disabled BFM in DA control panel

2. Moved block_ip.sh and brute_force_notice_ip.sh from the custom scripts folder to /root.

3. Did service iptables stop (to stop the current DA iptables service)

4. Moved the modified /etc/init.d/iptables script that I downloaded from the DA site for BRM to /root

5. Moved the original iptables upstart script that was provided by CentOS 6.2 install back to /etc/init.d/iptables

6. Restarted iptables using the original CentOS iptables script I just moved in step above by doing service iptables star

7. Downloaded csf to /tmp and untar'd it.

8. Ran sh install.sh to get it installed. Verified I was able to see the plugin show up in DirerctAdmin control panel

Now, heres my concern, if I do a chkconfig --list I can see that there is a entry for csf and an entry for iptables. They are both set to "on" for my run level.

Does csf simply use the default CentOS iptables upstart job or does it have its own separate iptables job that it starts?
Do I need to turn off the default CentOS iptables from starting on my run level?

Im a little confused...sorry. :(
 
OK. So, do I need to leave the iptables entry turned on for my run level on chkconfig?
There is an entry in chkconfig for csf, lfd, and iptables. All three are on.

I have noticed that if I so a service iptables start, all hell seems to break loose on the machine, and the firewall rules get messed up. I am afraid that when the machine reboots, I will run into the same problems.
 
This is from my server:

Code: 
csf             0:off   1:off   2:on    3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:off   3:off   4:off   5:off   6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
lfd             0:off   1:off   2:on    3:on    4:on    5:on    6:off

Regards
 
Thanks SeLLeRoNe! Thats exactly how mine looks. I guess I was being paranoid.
 
You must log in or register to reply here.
Back
Top