Solved No automatic block on DirectAdmin interface login?

[HHawk79]

I just setup a new / clean server. Same issue, but I have to check all options again first, but probably the same issue though.

At first I thought it was AlmaLinux 8.x as I noticed it there first. So I tried CentOS 7.x afterwards (which we use normally).
But there was the same issue as well. Checked the DirectAdmin version installed, which is: v1.63.7.

Will call it a day for now. Been at it since early this morning (so about 10 hours now).

Thanks nevertheless for your help Brent.


//edit
Same issue on the demo page: https://demo.directadmin.com:2222/
However that might be because of the settings obviously.

 

[HHawk79]

Well must be a bug. Fresh install (again), re-installed CSF from the interface, disabled testing mode and still no block on amount of DA logins.
But Brent, aren't you running DA? Did you test it?

 

[HHawk79]

Tested several other servers with DirectAdmin with us, including my own. All experience the same issue.
So you can brute-force hack DirectAdmin as it stands. Wow...

 

[warg]

I just tested this: I tried 20 or 30+ log-in attempts for admin user and random passwords within a few minutes. IP isn't blocked and I doubt that it's not blocked because it signed in before successfully . . . Happens on Debian 11.

 

[HHawk79]

I just tested this: I tried 20 or 30+ log-in attempts for admin user and random passwords within a few minutes. IP isn't blocked and I doubt that it's not blocked because it signed in before successfully . . . Happens on Debian 11.

Seems DirectAdmin can be brute-force hacked then, since there is no limit and/or blocks on the login screen. A very big fail if this is true. Let's see how fast they will resolve this...

 

[factor]

Let's see how fast they will resolve this...

Have you logged a support request?

Thanks nevertheless for your help Brent.

Always. I think it might be a new bug.

 

[Richard G]

Seems DirectAdmin can be brute-force hacked then

Must be some bug indeed. As normally the Bruteforce Manager of DA would detect and block this behaviour.

 

[HHawk79]

Seems the issue was there since the last few releases of DirectAdmin. Only (very) old versions are still blocking. *shocked*

Anyways, I couldn't create a ticket, so I send them an email. But I hope they will take it seriously. As every DA server is at risk here to be brute-forced hacked.

 

[HHawk79]

No reply, feedback whatsoever from DirectAdmin staff. Apparently it doesn't matter that much it seems...

 

[factor]

No reply, feedback whatsoever from DirectAdmin staff. Apparently it doesn't matter that much it seems...

They are only open 9-5pm. The don't have 24 hour support.

 

[fln]

Hi everyone, thank you for bringing this to our attention. We identified the issue the fix is already in `alpha` release channel.

The root cause was actually IP whitelist check which would stop further unauth processing.

It is visible in the server log with the following errors:

error unable to add failed login ip attempt error=open /usr/local/directadmin/data/admin/ip_whitelist: no such file or directory

There is a workaround for this problem:

touch /usr/local/directadmin/data/admin/ip_whitelist
chown diradmin.diradmin /usr/local/directadmin/data/admin/ip_whitelist

We have just pushed a hot-fix for this in all of the release channels.

 

[HHawk79]

This bug was apparently active (and caused major security issues) in several versions back as well.
However good that someone was paying attention. ;-)

Luckily nothing got hacked by simple brute-force attempts.
Anyways thank you for the fix and update!

 

[factor]

/usr/local/directadmin/data/admin/ip_whitelist

well I don't have a file there.

Does the fix check the location of the file in the directadmin.conf
if the entry is differnent? We are supposed to be able to set the file name and location based on the directadmin.conf entry
ip_whitelist=/etc/whitelist_ips

 

[HHawk79]

Maybe that's why they said to use "touch" ;-)

 

[factor]

they said to use "touch"

I know that but I don't want a file there. I want it to respect the entry I added in the directadmin.conf. If it won't do that anymore there is no reason for that variable to be in the system.

The touch command was listed as a work around. I want to know more about the fix.

 

[fln]

The location of the file is taken from the configuration. The easiest way to avoid this would be to just update DA. A new release should be visible for all update channels (even for EOL distros).

 

[factor]

The location of the file is taken from the configuration.

Awesome thanks

 

[HHawk79]

I know that but I don't want a file there. I want it to respect the entry I added in the directadmin.conf. If it won't do that anymore there is no reason for that variable to be in the system.

The touch command was listed as a work around. I want to know more about the fix.

Uhmz... Okay. You didn't even notice the issue with the brute-force though.
...but I understand your concern in this. ;-)

I did read a forum post somewhere (not here) about some person getting a hacked server. Forgot to bookmark it (and currently at home). So I think we can count ourselves very, very lucky!

Word of advice; always use strong passwords and change them weekly (or daily even). It's not safe to simply rely on the used software (even DirectAdmin). ;-)

 

[factor]

You didn't even notice the issue with the brute-force though.

True. That doesn't have much to do with the discussion though. Its not like I am some super tester I am just a regular guy.

some person getting a hacked server.

happens everyday

always use strong passwords

I try to use super secret ones for sure.

change them weekly (or daily even).

Not that concerned.

I am glad you found it and we brought it to their attention. I am glad its fixed not as well.

 

[HHawk79]

No worries, all good.