Mean Servers makes no guarantee or warranty regarding this article and comes as-is with no support what so ever unless implemented by Mean Servers personnel. A competent Linux system administrator should implement this tutorial as severe and irreversible server damage may result from improper use. Mean Servers can secure your server for a one time fee of $39. Contact the sales department for more information.
To prevent this, we can use a brute force login detection system. DirectAdmin has 2 such systems for these attacks.
1) The original feature was created in DA 1.25.5, and will detect and block login attempts on DA itself (port 2222):
http://www.directadmin.com/features.php?id=573
This feature only applies to port 2222. It only blocks IPs on this port. It does not block IPs from other ports.
To enable this feature, go to:
Admin Level -> Admin Settings -> Blacklist IPs for excessive login attempts
use a value around 10-20. Note that accessing the login page counts as one failed login, since it's an unauthorized access. Keep that in mind when chosing a number.2) The newer system works in tandem with the previous, and will scan the logs for the other services (apache, dovecot, exim, proftpd, sshd).
When an attack is detected DA will notify the Admins on the box that the attack is in progress.
DA will not block the IPs since that would require a firewall, and DA doesn't manage firewalls (see block_ip.sh below).
To enable the detection reporting, go to:
Admin Level -> Admin Settings -> Parse service logs for brute force attacks
The brute force monitor (BFM) page can be viewed at:Admin Level -> Brute Force Monitor
Automating Blocking of Brute Force Attempts (CentOS 5 & 6)1) The first part of this guide will outline how to setup the actual firewall for the block_ip.sh to use. Note that we're not able to offer any support for this setup, so use it at your own risk. Also, this file is written for a CentOS/Fedora type system and has not been tested on Debian or FreeBSD (it may work on Debian, not sure).
*** Note that it opens ssh on port 22, so make sure you either change it manually, or have physical access to your server if you're running ssh on some other port.cd /etc/init.d
mv iptables iptables.backup
wget http://files.directadmin.com/services/all/block_ips/2.0/iptables
chmod 755 iptables
You'll want to test this out to ensure it works for you:
to make sure you can still connect to everything ok. If not, you may need to head to the data center to shut it off (partly why we don't offer support for firewalls)/etc/init.d/iptables restart
2) The second step is to install the block_ip.sh so you can create a file that lists the IPs to be blocked. A sample block_ip.sh can be found here.
To install this file, type:
This should activate the button in DA at:cd /usr/local/directadmin/scripts/custom
wget -O block_ip.sh http://files.directadmin.com/services/all/block_ips/2.0/block_ip.sh
wget -O show_blocked_ips.sh http://files.directadmin.com/services/all/block_ips/2.0/show_blocked_ips.sh
wget -O unblock_ip.sh http://files.directadmin.com/services/all/block_ips/2.0/unblock_ip.sh
chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh
Admin Level -> Brute Force Monitor -> IP Info -> Block IP
This particular block_ip.sh script will check to ensure that the IP you're blocking does not already exist in the list.
It will also generate the output from "iptables -nL" which should show you everything that is current blocked in the list. (iptables -nL is also output in the event the IP is already blocked, so you can see your iptables list without doing anything)
3) Create the empty block list and exempt list files:
4) This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, install the following script:touch /root/blocked_ips.txt
touch /root/exempt_ips.txt
Automating Blocking of Brute Force Attempts (CentOS 7)cd /usr/local/directadmin/scripts/custom
wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/block_ips/2.0/brute_force_notice_ip.sh
chmod 700 brute_force_notice_ip.sh
1) The first part of this guide will outline how to setup the actual firewall for the block_ip.sh to use. Note that we're not able to offer any support for this setup, so use it at your own risk. Also, this file is written for a CentOS/Fedora type system and has not been tested on Debian or FreeBSD (it may work on Debian, not sure).
*** Note that it opens ssh on port 22, so make sure you either change it manually, or have physical access to your server if you're running ssh on some other port.systemctl mask firewalld
systemctl stop firewalld
yum -y install iptables-services
systemctl enable iptables
cd /usr/libexec/iptables
mv iptables.init iptables.init.backup
wget -O iptables.init http://files.directadmin.com/services/all/block_ips/2.1/iptables
chmod 755 iptables.init
You'll want to test this out to ensure it works for you:
to make sure you can still connect to everything ok. If not, you may need to head to the data center to shut it off (partly why we don't offer support for firewalls)systemctl reload iptables
2) The second step is to install the block_ip.sh so you can create a file that lists the IPs to be blocked. A sample block_ip.sh can be found here.
To install this file, type:
This should activate the button in DA at:cd /usr/local/directadmin/scripts/custom
wget -O block_ip.sh http://files.directadmin.com/services/all/block_ips/2.1/block_ip.sh
wget -O show_blocked_ips.sh http://files.directadmin.com/services/all/block_ips/2.1/show_blocked_ips.sh
wget -O unblock_ip.sh http://files.directadmin.com/services/all/block_ips/2.1/unblock_ip.sh
chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh
Admin Level -> Brute Force Monitor -> IP Info -> Block IP
This particular block_ip.sh script will check to ensure that the IP you're blocking does not already exist in the list.
It will also generate the output from "iptables -nL" which should show you everything that is current blocked in the list. (iptables -nL is also output in the event the IP is already blocked, so you can see your iptables list without doing anything)
3) Create the empty block list and exempt list files:
4) This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, install the following script:touch /root/blocked_ips.txt
touch /root/exempt_ips.txt
cd /usr/local/directadmin/scripts/custom
wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/block_ips/2.1/brute_force_notice_ip.sh
chmod 700 brute_force_notice_ip.sh
Automating Blocking of Brute Force Attempts (FreeBSD)
If you're running FreeBSD with ipfw, you'd skip steps 1, 2 and 3, and instead, add the following code to the file:
/usr/local/directadmin/scripts/custom/block_ip.sh
and don't forget to chmod the block_ip.sh to 755.#!/bin/sh
echo "Blocking $ip with ipfw ...<br>";
ipfw add deny ip from $ip to any
exit $?
This knowledgebase article was taken from multiple articles on the DirectAdmin knowledge base located at http://help.directadmin.com/. All credit goes to DirectAdmin for this article.
