Solved No automatic block on DirectAdmin interface login?

[HHawk79]

Hi all,

I am experiencing a weird issue. For some reason, how many times you try to login on the DirectAdmin interface, you will nog get blocked.
It doesn't matter if try 200 times by clicking the login button. It simply does not block...

In the log under /var/log/directadmin/2022_date.log I see the following:

09/03/2022:18:04:17     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:17     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:17     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:17     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:18     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:18     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:18     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:18     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:18     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:18     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:19     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:19     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:19     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:19     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:19     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:19     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:19     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:20     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:20     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:20     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:18:04:20     185.232.21.XX POST /CMD_LOGIN HTTP/1.1 admin

The IP-address mentioned is from one of my VPN's, so I could monitor (watch) the logs as well when logged in on my real network in the DirectAdmin interface.
Anyways, there is no ban whatsoever! At first I thought it was an issue with csf.conf, so reinstalled the original (unmodified one), but still the same issue. Also tried using the original csf.pignore, but still nothing. In between I reloaded CSF with "csf -R".

I also check all admin settings in regards to the blacklist settings, but all seem fine. I also tried using the script supplied by Poralix here. But it didn't help (didn't expect it would as DirectAdmin has BFM by default nowadays). I also checked all directadmin.conf options; nothing weird and everything enabled.

So now I have no clue what it could be or what is causing it... I am baffled. Maybe it's a bug in the latest DirectAdmin version (running v1.63.7). So I have no clue why it does not block/ban wrong logins on the DirectAdmin interface login...

FYI: blocking other aspects on the server works. For example:

Mar 9 15:36:33 ns1 lfd[23069]: (sshd) Failed SSH login from 116.105.212.31 (VN/Vietnam/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
Mar 9 15:37:13 ns1 lfd[26844]: (sshd) Failed SSH login from 116.110.103.67 (VN/Vietnam/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
Mar 9 17:46:35 ns1 lfd[10155]: (eximsyntax) Exim syntax errors from 185.165.190.34 (US/United States/red.census.shodan.io): 5 in the last 900 secs - *Blocked in csf* for 915 secs [LF_TRIGGER]

Anyone has an idea? Or can tell me what to try or where to look?

Thanks in advance.

 

[factor]

I also tried using the script supplied by Poralix here.

If you ran all of that you would need to remove the Custom scripts

You might look thorough this and double check it all.

Securing with Brute Force Monitor | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

include_directadmin_port_in_brute_firewall=0

Option to include 2222 failed attempt in BFM blocks (CSF).

 

[HHawk79]

If you ran all of that you would need to remove the Custom scripts

You might look thorough this and double check it all.

Securing with Brute Force Monitor | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

Well I tested this with and without the Poralix script (on several re-installs). No difference / same result.
And yes, I have included that line already in my directadmin.conf. FYI here is the outpunt with all "brute"-related options:

cat /usr/local/directadmin/conf/directadmin.conf | grep 'brute'
brute_dos_count=30
brute_force_apache_log_list_update_interval=30
brute_force_exim_log=/var/log/exim/mainlog/
brute_force_exim_panic_log=/var/log/exim/paniclog
brute_force_exim_reject_log=/var/log/exim/rejectlog
brute_force_ignore_attempts_on_suspended=1
brute_force_log_scanner=1
brute_force_mail_log=/var/log/maillog
brute_force_messages_log=/var/log/messages
brute_force_mysql_log=/var/lib/mysql/.err
brute_force_notifications_email_only=0
brute_force_scan_apache_logs=2
brute_force_secure_log=/var/log/secure
brute_force_time_limit=100
brutecount=10
bruteforce=1
clear_brute_log_entry_time=1
clear_brute_log_time=4
hide_brute_force_notifications=1
include_directadmin_port_in_brute_firewall=1
unblock_brute_ip_time=15
user_brutecount=150

As you can see, it was already included. Still no joy...
Or did I misread the explanation? And should this be set to "0" instead?

But thanks for answering, Brent. Maybe you have another idea?


//edit

Against better judgment, I also tried setting "include_directadmin_port_in_brute_firewall=1", but same result (no block whatsoever).

 

[factor]

if you look in this file listed here

cat /usr/local/directadmin/conf/directadmin.conf | grep whitelist

Is the ip you are testing from in here?

or in the csf allow file?

 

[HHawk79]

No, twice. I used a random proxy VPS, so it's not even in there.

Full output of directadmin.conf (domains are examples obviously):

cat /usr/local/directadmin/conf/directadmin.conf
add_userdb_quota=1
allow_ttl_override=1
apache_public_html=0
apache_ver=2.0
autoupdate=1
awstats=0
backup_gzip=2
brute_dos_count=30
brute_force_apache_log_list_update_interval=30
brute_force_exim_log=/var/log/exim/mainlog/
brute_force_exim_panic_log=/var/log/exim/paniclog
brute_force_exim_reject_log=/var/log/exim/rejectlog
brute_force_ignore_attempts_on_suspended=1
brute_force_log_scanner=1
brute_force_mail_log=/var/log/maillog
brute_force_messages_log=/var/log/messages
brute_force_mysql_log=/var/lib/mysql/.err
brute_force_notifications_email_only=0
brute_force_scan_apache_logs=2
brute_force_secure_log=/var/log/secure
brute_force_time_limit=100
brutecount=10
bruteforce=1
check_subdomain_owner=1
clear_blacklist_ip_time=15
clear_brute_log_entry_time=1
clear_brute_log_time=4
cloud_cache=0
cpu_in_system_info=1
default_private_html_link=1
default_ttl=300
demodocsroot=./data/skins/evolution
disk_usage_suspend=1
dkim=2
dns_ttl=1
dnssec=1
docsroot=./data/skins/evolution
dovecot=1
enforce_difficult_passwords=1
ethernet_dev=venet0
fm_to_trash_default=0
frontpage_on=0
hide_brute_force_notifications=1
http2=1
include_directadmin_port_in_brute_firewall=1
ipv6=1
letsencrypt=1
litespeed=0
mail_sni=1
max_username_length=16
nginx=0
nginx_proxy=0
ns1=ns1.test-dns.com
ns2=ns2.test-dns.com
openlitespeed=0
php_fpm_max_children_default=10
pointers_own_virtualhost=1
pureftp=1
quota_partition=/
secure_access_group=access
servername=ns1.test-dns.com
show_info_in_header=0
system_user_to_virtual_passwd=1
unblock_brute_ip_time=15
unified_ftp_password_file=1
user_brutecount=150
webmail_link=roundcube
check_referer=0

 

[factor]

Also make sure you are running

systemctl restart directadmin

 

[HHawk79]

Also make sure you are running

systemctl restart directadmin

Ofcourse. As a matter of fact; I even reboot the server all the time, when I make a change. That way I am certain the change(s) is/are applied.

 

[factor]

Also make sure these files are deleted

/usr/local/directadmin/scripts/custom/block_ip.sh

/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh

/usr/local/directadmin/scripts/custom/show_blocked_ips.sh

/usr/local/directadmin/scripts/custom/unblock_ip.sh

/root/blocked_ips.txt

/root/exempt_ips.txt

 

[factor]

Ofcourse. As a matter of fact; I even reboot the server all the time

just trying to turn over all the rocks..

 

[HHawk79]

Also make sure these files are deleted

/usr/local/directadmin/scripts/custom/block_ip.sh
/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
/usr/local/directadmin/scripts/custom/show_blocked_ips.sh
/usr/local/directadmin/scripts/custom/unblock_ip.sh
/root/blocked_ips.txt
/root/exempt_ips.txt

Removed them all, rebooted the server and tried to login on the GUI mulitple times. Still no block. Sigh.
Really no clue what's causing this...

 

[factor]

GUI mulitple times.

Are you doing 150+ attempts?
brutecount=10
user_brutecount=150

you might set these to something more strict like 5

Also are you putting in a fake username and password each time
like test
test

 

[HHawk79]

Are you doing 150+ attempts?
brutecount=10
user_brutecount=150

you might set these to something more strict like 5

Also are you putting in a fake username and password each time
like test
test

Changed it to "user_brutecount=10" rebooted the server and tried again.
Tried various logins (in bulk) e.g. fictional user names as well as admin.

See here:

09/03/2022:19:35:10 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:10 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:10 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:10 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:10 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:11 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:11 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:11 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:11 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:11 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:11 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:12 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:12 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:12 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:12 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:12 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:12 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:13 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:13 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:13 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:13 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:13 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:13 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:14 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:14 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:14 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:14 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:14 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:14 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:15 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:15 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:15 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:16 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:16 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:16 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:16 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:16 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:16 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:17 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:17 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:17 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:17 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:17 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:17 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:17 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:18 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:18 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:18 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:18 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:18 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:18 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:18 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:19 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:19 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:19 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:19 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:19 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:19 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:20 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:20 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:20 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:20 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:20 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:20 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:20 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:21 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:21 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:21 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:22 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:22 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:22 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:35:22 185.232.21.XXX POST /CMD_LOGIN HTTP/1.1 admin

No dice. Still no block whatsoever.


//edit
Tried it on an a different server (with older DirectAdmin version). After a few tries, blocked straight away.
I have no clue to what this is related to be honest. Everything should be in order as far as I can tell.

 

[factor]

Also what is
ip_brutecount set to?

 

[factor]

No dice. Still no block whatsoever.

It just doesnt like you...

 

[HHawk79]

Also what is
ip_brutecount set to?

Apparently this variable wasn't set, so I added it with: ip_brutecount=10.
And rebooted. Still no block after 60+ attempts to login with admin:

09/03/2022:19:41:26 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:26 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:26 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:26 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:27 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:27 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:27 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:28 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:28 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:28 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:29 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:29 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:29 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:30 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:30 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:30 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:30 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:31 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:31 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:31 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:32 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:32 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:32 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:33 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:33 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:33 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:34 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:34 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:34 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:35 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:35 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:35 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:36 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:36 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:36 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:36 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:37 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:37 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:37 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:37 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:38 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:38 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:38 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:38 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:38 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:39 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:39 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:39 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:39 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:40 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:40 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:40 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:40 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:41 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:41 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:41 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:41 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:42 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:42 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:42 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:42 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:42 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:43 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin
09/03/2022:19:41:43 185.232.21.YYY POST /CMD_LOGIN HTTP/1.1 admin

:'(

 

[factor]

If your license has support. Might be quicker for them to login and look.

 

[factor]

in csf under OS specific

what is
PORTS_directadmin =
set to?
should be 2222

 

[factor]

I also tried setting "include_directadmin_port_in_brute_firewall=1",

yes it should be 1 if you want csf to know about blocking it. 0 is off 1 is on

0 off is default..

 

[HHawk79]

Unfortunately no support on this license (expired).
Correctly set to: PORTS_directadmin = "2222"

But I do notice this:
DIRECTADMIN_LOG = "/var/log/directadmin/login.log"

No clue if that is correct. When I check that file (login.log), I see only succesful logins. No mention of failed logins at all.
I have noticed the same behaviour on other DirectAdmin servers (with newer versions).

On one older server (with a not recent update DirectAdmin version) I do see the following in login.log:

2022:03:09-08:45:12: 'YYY.XX.QQ.WWW' 16 failed login attempts. Account 'admin'
2022:03:09-08:45:17: 'YYY.XX.QQ.WWW' 23 failed login attempts. Account 'root'
2022:03:09-08:45:20: 'YYY.XX.QQ.WWW' 14 failed login attempts. Account 'whmcs'
2022:03:09-08:45:22: 'YYY.XX.QQ.WWW' 11 failed login attempts. Account 'administrator'
2022:03:09-08:45:34: 'YYY.XX.QQ.WWW' 58 failed login attempts. Account 'root'
2022:03:09-08:45:38: 'YYY.XX.QQ.WWW' 59 failed login attempts. Account 'admin'

But not on the newer servers...

 

[factor]

Humm
Yeah might be a bug.
Whats your OS and version

@fln
@smtalk