How to block IPs with Brute Force Monitor in DirectAdmin using CSF

*** AUTOMATED INSTALLATION (June 12nd, 2018) ***

For those who wants things to be done fast you can use the script:

cd ~
wget -O csf-bfm-install.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/install.sh
chmod 700 csf-bfm-install.sh
./csf-bfm-install.sh

For those who wants more control and do things manually please follow the guide below (the guide might miss certain updates, but the script will be updated whenever it's needed).

*** UPDATED GUIDE (October 24th, 2016) ***

A common method of gaining access over a server is to use a technique called a brute force attack, or dictionary attack. What the attacker will do, is use a script to try and login to an account with every possible password combination. This tends to require tens of thousands of login attempts, but eventually, the right combination will be found, and they can login normally.

To prevent this, we can use a brute force login detection system in DirectAdmin, so called BFM (Brute Force Monitor).

1. Install CSF/LFD if it's not installed yet.

Run this as root if you unsure whether or not you have CSF/LFD installed:

csf -v

You've got it installed if you see output similar to this (go to step #2 in this case):

# csf -v
csf: v8.22 (DirectAdmin)

You've got to install it if you see output similar to this:

# csf -v
bash: csf: command not found

First download and unpack it:

cd /usr/local/src
wget https://download.configserver.com/csf.tgz
tar -zxvf csf.tgz
cd ./csf

Now it's the right time to test whether or not your server is ready to run CSF/LFD:

# ./csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

If an output in your console differs much, you'd rather not install CSF and try another way of protecting your server.

Install it:

./install.directadmin.sh

And enable it. Update /etc/csf/csf.conf:

TESTING = "0"

Start it:

service csf start

Additionally you are advised to disable Login Failure Blocking in CSF/LFD as it will be Directadmin to care of it:

LF_TRIGGER = "0"
LF_SSHD = "0"
LF_FTPD = "0"
LF_SMTPAUTH = "0"
LF_EXIMSYNTAX = "0"
LF_POP3D = "0"
LF_IMAPD = "0"
LF_HTACCESS = "0"
LF_MODSEC = "0"
LF_DIRECTADMIN = "0"

2. To make Directadmin's BFM compatible with CSF you should do the following:

cd /usr/local/directadmin/scripts/custom/
cp block_ip.sh block_ip.sh.bak
cp unblock_ip.sh unblock_ip.sh.bak

It's OK if you have no block_ip.sh and unblock_ip.sh, and the previous step might fail with a warning:

cp: cannot stat `block_ip.sh': No such file or directory
cp: cannot stat `unblock_ip.sh': No such file or directory

Now fetch the files:

cd /usr/local/directadmin/scripts/custom/
wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt
wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt
wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt
chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh

Create the empty block list and exempt list files:

touch /root/blocked_ips.txt
touch /root/exempt_ips.txt

This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, install the following script:

cd /usr/local/directadmin/scripts/custom
wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh
chmod 700 brute_force_notice_ip.sh

3. Update Settings in Directadmin

To make sure that BFM is enabled login as admin into the hosting panel, go to "Administrator settings" and bring the values to the following state (or similar):

IMPORTANT! Parse service logs for brute force attacks should be set to "Yes"! The other settings might be changed to meet your needs.

Save changes, and give a minute or so to changes to take effect. Now you've got Directadmin which will automatically block IPs of attackers with CSF.

4. Disable iptables (optional):

That was reported that raw iptables in some cases might overwrite existing rules loaded by CSF/LFD. To avoid it we'd recommend to disable iptables and ip6tables from being loaded at boot time:

CentOS 5, 6:

chkconfig iptables off
chkconfig ip6tables off

mv /etc/init.d/iptables /etc/init.d/iptables~moved
echo -e '#!/bin/bash\nexit 0;' > /etc/init.d/iptables
chmod 755 /etc/init.d/iptables

4. Disable firewalld (optional):

CentOS 7:

systemctl disable firewalld
systemctl stop firewalld

5. Suppress BFM messages (optional):

If you trust your software and security settings, then you will probably want to hide all those numerous emails about found Brute force attacks. And here is how you can achieve it:

echo "hide_brute_force_notifications=1" >> /usr/local/directadmin/conf/directadmin.conf

Restart directadmin.

6. The block_ip.sh script specs (for better understanding):

An IP of an attacker will be blocked with iptables via CSF if the following requirements are met:

1. BFM support is enabled in Directadmin and properly configured
2. CSF/LFD installed together with the aforementioned scripts to allow Directadmin to communicate with CSF.
3. IP exceeded max allowed number of login failures on any account.
   
4. IP is missing in brute force skip list (/usr/local/directadmin/data/admin/brute_skip.list).
5. IP is not white-listed in CSF permanently (/etc/csf/csf.allow). Any mention of an IP in the csf.allow will protect the IP from blocking.
6. IP is not temporary in allowed list of CSF (/var/lib/csf/csf.tempallow).

An IP can be blocked from accessing either any port on the server or only a list of ports of an attacked service. A switcher USE_PORT_SELECTED_BLOCK can be found in /usr/local/directadmin/scripts/custom/block_ip.sh. The default value is 1.

USE_PORT_SELECTED_BLOCK=1;  # SET TO 1 OR 0
                            # 1: TO BAN ACCESS ONLY TO A PORT WHICH
                            #    WAS BRUTEFORCED
                            # 0: TO BLOCK ACCESS TO ALL PORTS
                            #
                            # NOTICE: MANUAL TRIGGER FROM DIRECTADMIN
                            # WILL STILL BLOCK ACCESS TO ALL PORTS
                            # FOR AN IP

Used links:

• http://help.directadmin.com/item.php?id=380
• http://help.directadmin.com/item.php?id=404
• http://help.directadmin.com/item.php?id=1332