Skip List, what is it????
- Thread starter Triodes
- Start date
zEitEr
Super Moderator
Hello,
That's some king of whitelisting, if you want not to block IP, you should add it into a skip list.
Related:
http://www.directadmin.com/features.php?id=1234
That's some king of whitelisting, if you want not to block IP, you should add it into a skip list.
Related:
http://www.directadmin.com/features.php?id=1234
That is not really a clear description unless you perhaps wrote the code yourself 
To me it only says it will not give a notification, not that it whitelists or blacklists an IP.
Is there a button for a "add to black list" ? Should be more interesting. I have BFA's in the 1500+ on some IP's and no way to know if anything is done about them.
To me it only says it will not give a notification, not that it whitelists or blacklists an IP.Is there a button for a "add to black list" ? Should be more interesting. I have BFA's in the 1500+ on some IP's and no way to know if anything is done about them.
zEitEr
Super Moderator
If a directadmin BFM skips a line in logs with a defined criteria, it won't block an attacker IP.
zEitEr
Super Moderator
Not by default, you should apply some actions to have the button.
Related: http://help.directadmin.com/item.php?id=380
I figured the skip list would stop BFM notifications, and perhaps it does if log (secure) parsing is turned off.
This may be considered a bug, without further clarification or digging around in the DA directories however an IP on the skip list will continue to generate alerts when Administrator Settings [security] -> "Parse service logs for brute force attacks" = Y
..at least with default installation. It may be that further tweaks possible (RE: Feature 1227) can provide silence to skip listed IP even with log parsing = Y. Still have not investigated the feature enough.
update: I finally dug out the versions library (1.392) on this feature - http://www.directadmin.com/features.php?id=1234
It appears the feature is supposed to act as I imagined. I confirmed the IPs (plus comments) exist in the /usr/local/directadmin/data/admin/brute_skip.list file.
This feature came after the 1.39 entry (http://www.directadmin.com/features.php?id=1227) and is sort of worded as if 'skip list' are applicable to secure log parsing. Further reading actually indicates it's reliant on the logs being parsed.
Conclusion is I'm observing a bug... However it's not due to brute_force_notify_pre.sh exactly, because I don't have one..
This may be considered a bug, without further clarification or digging around in the DA directories however an IP on the skip list will continue to generate alerts when Administrator Settings [security] -> "Parse service logs for brute force attacks" = Y
..at least with default installation. It may be that further tweaks possible (RE: Feature 1227) can provide silence to skip listed IP even with log parsing = Y. Still have not investigated the feature enough.
update: I finally dug out the versions library (1.392) on this feature - http://www.directadmin.com/features.php?id=1234
It appears the feature is supposed to act as I imagined. I confirmed the IPs (plus comments) exist in the /usr/local/directadmin/data/admin/brute_skip.list file.
This feature came after the 1.39 entry (http://www.directadmin.com/features.php?id=1227) and is sort of worded as if 'skip list' are applicable to secure log parsing. Further reading actually indicates it's reliant on the logs being parsed.
Conclusion is I'm observing a bug... However it's not due to brute_force_notify_pre.sh exactly, because I don't have one..
Last edited: