*** UPDATED GUIDE (October 24th, 2016) ***
A common method of gaining access over a server is to use a technique called a brute force attack, or dictionary attack. What the attacker will do, is use a script to try and login to an account with every possible password combination. This tends to require tens of thousands of login attempts, but eventually, the right combination will be found, and they can login normally.
To prevent this, we can use a brute force login detection system in DirectAdmin, so called BFM (Brute Force Monitor).
1. Install CSF/LFD if it's not installed yet.
Run this as root if you unsure whether or not you have CSF/LFD installed:
You've got it installed if you see output similar to this (go to step #2 in this case):
# csf -v csf: v8.22 (DirectAdmin)
You've got to install it if you see output similar to this:
# csf -v bash: csf: command not found
First download and unpack it:
cd /usr/local/src wget https://download.configserver.com/csf.tgz tar -zxvf csf.tgz cd ./csf
Now it's the right time to test whether or not your server is ready to run CSF/LFD:
# ./csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
If an output in your console differs much, you'd rather not install CSF and try another way of protecting your server.
And enable it. Update /etc/csf/csf.conf:
TESTING = "0"
service csf start
Additionally you are advised to disable Login Failure Blocking in CSF/LFD as it will be Directadmin to care of it:
LF_TRIGGER = "0" LF_SSHD = "0" LF_FTPD = "0" LF_SMTPAUTH = "0" LF_EXIMSYNTAX = "0" LF_POP3D = "0" LF_IMAPD = "0" LF_HTACCESS = "0" LF_MODSEC = "0" LF_DIRECTADMIN = "0"
2. To make Directadmin's BFM compatible with CSF you should do the following:
cp block_ip.sh block_ip.sh.bak
cp unblock_ip.sh unblock_ip.sh.bak
It's OK if you have no block_ip.sh and unblock_ip.sh, and the previous step might fail with a warning:
cp: cannot stat `block_ip.sh': No such file or directory
cp: cannot stat `unblock_ip.sh': No such file or directory
Now fetch the files:
cd /usr/local/directadmin/scripts/custom/ wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh
Create the empty block list and exempt list files:
touch /root/blocked_ips.txt touch /root/exempt_ips.txt
This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, install the following script:
cd /usr/local/directadmin/scripts/custom wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh chmod 700 brute_force_notice_ip.sh
3. Update Settings in Directadmin
To make sure that BFM is enabled login as admin into the hosting panel, go to "Administrator settings" and bring the values to the following state (or similar):
IMPORTANT! Parse service logs for brute force attacks should be set to "Yes"! The other settings might be changed to meet your needs.
Save changes, and give a minute or so to changes to take effect. Now you've got Directadmin which will automatically block IPs of attackers with CSF.
4. Disable iptables (optional):
That was reported that raw iptables in some cases might overwrite existing rules loaded by CSF/LFD. To avoid it we'd recommend to disable iptables and ip6tables from being loaded at boot time:
CentOS 5, 6:
chkconfig iptables off chkconfig ip6tables offmv /etc/init.d/iptables /etc/init.d/iptables~moved echo -e '#!/bin/bash\nexit 0;' > /etc/init.d/iptables chmod 755 /etc/init.d/iptables
4. Disable firewalld (optional):
systemctl disable firewalld systemctl stop firewalld
5. Suppress BFM messages (optional):
If you trust your software and security settings, then you will probably want to hide all those numerous emails about found Brute force attacks. And here is how you can achieve it:
echo "hide_brute_force_notifications=1" >> /usr/local/directadmin/conf/directadmin.conf
6. The block_ip.sh script specs (for better understanding):
An IP of an attacker will be blocked with iptables via CSF if the following requirements are met:
An IP can be blocked from accessing either any port on the server or only a list of ports of an attacked service. A switcher USE_PORT_SELECTED_BLOCK can be found in /usr/local/directadmin/scripts/custom/block_ip.sh. The default value is 1.
USE_PORT_SELECTED_BLOCK=1; # SET TO 1 OR 0 # 1: TO BAN ACCESS ONLY TO A PORT WHICH # WAS BRUTEFORCED # 0: TO BLOCK ACCESS TO ALL PORTS # # NOTICE: MANUAL TRIGGER FROM DIRECTADMIN # WILL STILL BLOCK ACCESS TO ALL PORTS # FOR AN IP