Prevent Brute Force Attack
- Thread starter hmaddy
- Start date
Richard G
Verified User
Short answer: you can't.
Installing csf/lfd and immunify is already what you can do as a response. I always temp block the ip's but that is a choice.
There is no way to prevent them, as your ip will alway be accessible from outside hence it can be attacked.
Installing csf/lfd and immunify is already what you can do as a response. I always temp block the ip's but that is a choice.
There is no way to prevent them, as your ip will alway be accessible from outside hence it can be attacked.
Unplug all wires from the server should prevent it. Haha just kidding
Bruteforce and DDOS are 2 different things. You can prevent less brute force by blocking IP addresses but you cannot prevent DDOS.
See this: https://forum.directadmin.com/threads/abuseipdb-and-csf-others.61679/
or Personally I like to use Suricata. You can integrate suricata with CSF here: https://www.abuseipdb.com/suricata
You can even extend suricata to use score from AbuseIPDB and automatically block in CSF
When I use suricata + AbuseIPDB I got more attack trigger than without using them because I think the current bruteforce monitor regex is not enough in DA
See this: https://forum.directadmin.com/threads/abuseipdb-and-csf-others.61679/
or Personally I like to use Suricata. You can integrate suricata with CSF here: https://www.abuseipdb.com/suricata
You can even extend suricata to use score from AbuseIPDB and automatically block in CSF
When I use suricata + AbuseIPDB I got more attack trigger than without using them because I think the current bruteforce monitor regex is not enough in DA
Robbus
Verified User
- Joined
- Jan 21, 2011
- Messages
- 33
Hi all, the bad guys found my new VPS very quickly and I am flooded by attacks.
So I have a similar question.
I read a lot about this topic, but for me without experience with IP blocking I simply thought I block the IP within the DA BFM.
That option to block an IP is greyed out, apparently for good reasons considering all the warning about it, but still annoying.
(My site targets EU, and it's under attack from many countries but none from the EU. So I don't care blocking those IP's.)
My VPS provider put Fail2ban in their documentation. Here I read about suricata and elsewhere other methods.
I asked them to pull all the plugs and turn it off 4ever, but they didn't think it was the optimal solution available.
What in your expert opinions would be the best way/software to implement an IP blocker or other ways to stop them from even trying to hack my precious new little server.
Thanks for your 2 cents on this!
So I have a similar question.
I read a lot about this topic, but for me without experience with IP blocking I simply thought I block the IP within the DA BFM.
That option to block an IP is greyed out, apparently for good reasons considering all the warning about it, but still annoying.
(My site targets EU, and it's under attack from many countries but none from the EU. So I don't care blocking those IP's.)
My VPS provider put Fail2ban in their documentation. Here I read about suricata and elsewhere other methods.
I asked them to pull all the plugs and turn it off 4ever, but they didn't think it was the optimal solution available.
What in your expert opinions would be the best way/software to implement an IP blocker or other ways to stop them from even trying to hack my precious new little server.
Thanks for your 2 cents on this!
Richard G
Verified User
IMHO CSF/LFD is better than Fail2ban and has more options. It can even be isntalled together with DA and combined with DA's BFM.
However, there is an option for using GEOIP and block everything which is not in the EU. Could use some resources though. Also this is a paid option. You can find it in CSF/LFD. Look for Maxmind.
We all have these issues with flooded attacks, they come and go.
As far as I'm concerned, people are too worried about it. Just temp block them and wait until they go and try on another server.
As long as it's not really slowing down your server, it's no problem.
However, there is an option for using GEOIP and block everything which is not in the EU. Could use some resources though. Also this is a paid option. You can find it in CSF/LFD. Look for Maxmind.
We all have these issues with flooded attacks, they come and go.
As far as I'm concerned, people are too worried about it. Just temp block them and wait until they go and try on another server.
As long as it's not really slowing down your server, it's no problem.
Richard G
Verified User
Robbus
Verified User
- Joined
- Jan 21, 2011
- Messages
- 33
Thanks Richard,
Appreciate your input.
(looks like in every topic I find, you are somehow sharing your experience!)
Will check how to set this up.
Do you happen to know at which number of attempts I should be worried for the server to start slowing down?
Some attackers did 25000 attempts within a day. And that's only from 1 IP. Total yesterday was nearly 50.000 attempts.
To me that sounds like an awful lot.
Appreciate your input.
(looks like in every topic I find, you are somehow sharing your experience!)
Will check how to set this up.
Do you happen to know at which number of attempts I should be worried for the server to start slowing down?
Some attackers did 25000 attempts within a day. And that's only from 1 IP. Total yesterday was nearly 50.000 attempts.
To me that sounds like an awful lot.
Richard G
Verified User
Thank you. I'm trying to be of help, a bit of a hobby of mine. Not always succesful, but often it is.
The number you are saying is indeed an awful lot. I can't say a number of attacks. I let CSF/LFD block the ip's. So if you have an attack flood and the ip is blocked by CSF/LFD, let the attack, because they won't et in anyway. However, 25000 to 50.000 is still a whole lot of lines in the logs.
Where did you find the number of attacks? Because I only see login attemps in the BFM of DA, which might be just a 1000 all together.
What I ment is that you can block by CSF/LFD automatically. Mostlyl attacks are done via distributed attack, so via multiple ip's. In that case, it can be your iptables will get so many lines that it can slow down your system.
So when we have ip's automatically blocked, mostly it is for a couple of days.
Even with 50.000 attempts, as long as your system keeps working fine and services are reachable and the ip is blocked in the firewall, not much else you can do about it.
I don't know which provider you have, in our datacenter, we can even have a firewall before our server. In the Data center control panel, we also can block ip's and this way an ip wouldn't een reach the server. However, until now we didn't need that yet.
Maybe you have a kindlike option.
We did have flood attacks, probably also as much as you have. Mostly lasting about 1 or 2 weeks, and then it goes down, probably they go and try somewhere else. Later in the year, sometimes 2 or 3 times a year, it happens again. In other years I don't see them for a whole year.
ikkeben
Verified User
IP blocking is going to be less and less the solution ( IPv6 if using then... you know)
The known (attacks and scam) should be blocked before the Datacentre entrance, before in country before in EU /... and so on
Only this make sense and save all of us a lot of cpu power.
BUT MORE IMPORTANT makes the cyberworld a lot safer, and important infrastructures are better protected against ( hacked boxes and their ddos and ...)
Also very very important the resources for the used POWER could be so much LESS then it is now , and saves the EARTH for a important part as CO2 is much lesser if protected not et the doorsteps or on servers itself, But Whole network infrastructures and POINTs.
Also a lot needles resources for manufacturing hardware, while we need less.
THIS IS POSSIBLE ( look at China , Korea and some country's blocking ....
) YUP
Why they don't do it everywhere YUP money while if more cpu memory and servers needed then they (IT INdustry and all the cyber security software and specialist are for a BIGG part not needed anymore..
So now only you can try external services and hardware , or services on the box even application protection on singe domain of....
UHUMMMMMMMMM rules as modsecurity and firewall, brute persons and bots.
My opinion on this we are Needless Brute for the enviroment where we can save so much so easy if the Politics and Company's want to
They YES in EU block people trying to get over the borders ( not always compliant with human rights) , why not block CYBER scammers on such level while this is compliant ofcourse.
For datacentres YUP they have policy''s who can get in REAL HUMAN door security and and, but not that effective with the DATA scammers , where also this is possible to do much better then they do now. And yes for their own companys mostly they do, but for custommer servers you need to do a lott yourself while CPU and memory and and selling more if hosting custommers has to do protection themselves. Selling them extra service for protection AHUM
IS a bussiness not needed at that scale if doing it right in the world.
Also a kind of driver license skills to use servers , and a block from the big hosting services as google cloud and co Custommers USA IP's where a lot of scam is comming from. Wen you give google for those a list with IP's scamming from their ... uhum you know what i mean they do nothing. You have to fill and proof every single one that is not my work, they should keep their server parks clean themselves and not us proofing they are not doing their work!!
The known (attacks and scam) should be blocked before the Datacentre entrance, before in country before in EU /... and so on
Only this make sense and save all of us a lot of cpu power.
BUT MORE IMPORTANT makes the cyberworld a lot safer, and important infrastructures are better protected against ( hacked boxes and their ddos and ...)
Also very very important the resources for the used POWER could be so much LESS then it is now , and saves the EARTH for a important part as CO2 is much lesser if protected not et the doorsteps or on servers itself, But Whole network infrastructures and POINTs.
Also a lot needles resources for manufacturing hardware, while we need less.
THIS IS POSSIBLE ( look at China , Korea and some country's blocking ....
) YUPWhy they don't do it everywhere YUP money while if more cpu memory and servers needed then they (IT INdustry and all the cyber security software and specialist are for a BIGG part not needed anymore..
So now only you can try external services and hardware , or services on the box even application protection on singe domain of....
UHUMMMMMMMMM rules as modsecurity and firewall, brute persons and bots.
My opinion on this we are Needless Brute for the enviroment where we can save so much so easy if the Politics and Company's want to
They YES in EU block people trying to get over the borders ( not always compliant with human rights) , why not block CYBER scammers on such level while this is compliant ofcourse.
For datacentres YUP they have policy''s who can get in REAL HUMAN door security and and, but not that effective with the DATA scammers , where also this is possible to do much better then they do now. And yes for their own companys mostly they do, but for custommer servers you need to do a lott yourself while CPU and memory and and selling more if hosting custommers has to do protection themselves. Selling them extra service for protection AHUM
IS a bussiness not needed at that scale if doing it right in the world.
Also a kind of driver license skills to use servers , and a block from the big hosting services as google cloud and co Custommers USA IP's where a lot of scam is comming from. Wen you give google for those a list with IP's scamming from their ... uhum you know what i mean they do nothing. You have to fill and proof every single one that is not my work, they should keep their server parks clean themselves and not us proofing they are not doing their work!!
Last edited:
Robbus
Verified User
- Joined
- Jan 21, 2011
- Messages
- 33
Interesting read Ikkeben.
Until this is all solved the right way, on a global scale will take a while.
Until then, with great joy, I used the block IP a number of times already. Manually for the ones before CSF was active.
And CSF helped me after that.
Nearly all IP's from Iran & Belize.
Before I just sat there, sadly staring at the greyed out BLOCK IP button, seeing the number of attacks increasing by the thousands and not able to do anything.
Now I just sit here, happily, knowing the bad guys quickly will be stopped and I can focus on other things for the new server setup.
Nearly there.... one annoying thing left but I will search and query in the appropriate threads for that.
Will check if my SP can block IP's before they can even reach my server.
Until this is all solved the right way, on a global scale will take a while.
Until then, with great joy, I used the block IP a number of times already. Manually for the ones before CSF was active.
And CSF helped me after that.
Nearly all IP's from Iran & Belize.
Before I just sat there, sadly staring at the greyed out BLOCK IP button, seeing the number of attacks increasing by the thousands and not able to do anything.
Now I just sit here, happily, knowing the bad guys quickly will be stopped and I can focus on other things for the new server setup.
Nearly there.... one annoying thing left but I will search and query in the appropriate threads for that.
Will check if my SP can block IP's before they can even reach my server.
Richard G
Verified User
For SSH you can even use another port, which will cause almost no attacks in logs anymore for SSH.