Problem with brute force monitor

[NTT]

So, I've run forums for over a decade, though not on Directadmin - always on a custom machine/vps. I'm using DirectAdmin as a platform now, and I'm running into a weird problem.

I have 2 forums related to a company - one (a demo) landed them as a client, and the other is their forum. Both are running the same software on the same directadmin machine. The users on both forums are the same. Litespeed is the web server. The only differences I can see are that:

1. The name of the company is in the forum name of the official forum, and that means memorized passwords are sometimes offered to users for the domain. Note that these will not match
2. The company put Cloudflare in front of the forum, while I didn't bother. They say nothing is being done other than the standard port forwarding that cloudflare performs.

So, that's the background. Now multiple users (all in Europe so far) are being blocked, and CSF shows this:

csf.deny: 75.155.xxx.xxx # Blocked with Directadmin Brute Force Manager - Sun Sep 11 19:59:46 2022

I can't figure out what's triggering this. I'd look directly at the log files, but when I bring up the log viewer and grep based on the IP address I get an empty result. Looking in BFM it's 50 login failures that are identified, but the users are unaware of anything they might be doing that would cause these logs.

What's the best next step to figure out what's happening to cause this?

 

[Richard G]

Looking in BFM it's 50 login failures that are identified,

50 login failures to what? To directadmin? To Exim? To....?

Note that these will not match

I'm not native English. But I do run several forums too. Which forum software is that running on and can you explain what you mean by this, that passwords will not match? Will not match what?

P.s. Cloudflare does something with DNS too if I'm not mistaken, but shouldn't give issues with BFM normally.

 

[NTT]

50 login failures to what? To directadmin? To Exim? To....?

It's unclear. Apparently I'm searching the logs incorrectly because I'm not finding the offending IP addresses.

 

[glio]

check your directadmin's all log(httpd error log, access log, mail log....), you may find why triggering this.

 

[Richard G]

Also check /var/log/directadmin logfiles. Since it's BFM it's likely that may point to something.

 

[NTT]

Sorry for the late delay here.

The log was saying it was the BFM, but actually it was the firewall, using a rule designed to detect a particular botnet, and for some reason new posts were sometimes flagged.

Ignored that rule, problem fixed.

 

[Richard G]

Thanks.
Could you share the rule it was? This way others can prevent to make the same mistake or prevent to activate the same block.