Create an account


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Protect DirectAdmin from Brute Force Attacks

#1
A common method of gaining access over a server is to use a technique called a brute force attack, or dictionary attack.  What the attacker will do, is use a script to try and login to an account with every possible password combination.  This tends to require tens of thousands of login attempts, but eventually, the right combination will be found, and they can login normally. This guide was written for CentOS primarily and FreeBSD secondarily. It may work on other operating systems but may require some tweaking.

Mean Servers makes no guarantee or warranty regarding this article and comes as-is with no support what so ever unless implemented by Mean Servers personnel. A competent Linux system administrator should implement this tutorial as severe and irreversible server damage may result from improper use. Mean Servers can secure your server for a one time fee of $39. Contact the sales department for more information.

To prevent this, we can use a brute force login detection system.  DirectAdmin has 2 such systems for these attacks.

1) The original feature was created in DA 1.25.5, and will detect and block login attempts on DA itself (port 2222):
http://www.directadmin.com/features.php?id=573

This feature only applies to port 2222. It only blocks IPs on this port. It does not block IPs from other ports.

To enable this feature, go to:

Admin Level -> Admin Settings -> Blacklist IPs for excessive login attempts
use a value around 10-20.  Note that accessing the login page counts as one failed login, since it's an unauthorized access.  Keep that in mind when chosing a number.

2) The newer system works in tandem with the previous, and will scan the logs for the other services (apache, dovecot, exim, proftpd, sshd).
When an attack is detected DA will notify the Admins on the box that the attack is in progress.
DA will not block the IPs since that would require a firewall, and DA doesn't manage firewalls (see block_ip.sh below).

To enable the detection reporting, go to:

Admin Level -> Admin Settings -> Parse service logs for brute force attacks
The brute force monitor (BFM) page can be viewed at:

Admin Level -> Brute Force Monitor
Automating Blocking of Brute Force Attempts (CentOS 5 & 6)

1) The first part of this guide will outline how to setup the actual firewall for the block_ip.sh to use.  Note that we're not able to offer any support for this setup, so use it at your own risk. Also, this file is written for a CentOS/Fedora type system and has not been tested on Debian or FreeBSD (it may work on Debian, not sure).

    cd /etc/init.d
    mv iptables iptables.backup
    wget http://files.directadmin.com/services/al...0/iptables
    chmod 755 iptables

*** Note that it opens ssh on port 22, so make sure you either change it manually, or have physical access to your server if you're running ssh on some other port.

You'll want to test this out to ensure it works for you:

    /etc/init.d/iptables restart

to make sure you can still connect to everything ok.  If not, you may need to head to the data center to shut it off (partly why we don't offer support for firewalls)

2) The second step is to install the block_ip.sh so you can create a file that lists the IPs to be blocked.  A sample block_ip.sh can be found here.
To install this file, type:

    cd /usr/local/directadmin/scripts/custom
    wget -O block_ip.sh http://files.directadmin.com/services/al...lock_ip.sh
    wget -O show_blocked_ips.sh http://files.directadmin.com/services/al...ked_ips.sh
    wget -O unblock_ip.sh http://files.directadmin.com/services/al...lock_ip.sh
    chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh

This should activate the button in DA at:
Admin Level -> Brute Force Monitor -> IP Info -> Block IP

This particular block_ip.sh script will check to ensure that the IP you're blocking does not already exist in the list.
It will also generate the output from "iptables -nL" which should show you everything that is current blocked in the list. (iptables -nL is also output in the event the IP is already blocked, so you can see your iptables list without doing anything)

3) Create the empty block list and exempt list files:

    touch /root/blocked_ips.txt
    touch /root/exempt_ips.txt

4) This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself.  The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking.  To automate blocking, install the following script:

    cd /usr/local/directadmin/scripts/custom
    wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/al...tice_ip.sh
    chmod 700 brute_force_notice_ip.sh

Automating Blocking of Brute Force Attempts (CentOS 7)

1) The first part of this guide will outline how to setup the actual firewall for the block_ip.sh to use.  Note that we're not able to offer any support for this setup, so use it at your own risk.    Also, this file is written for a CentOS/Fedora type system and has not been tested on Debian or FreeBSD (it may work on Debian, not sure).

    systemctl mask firewalld
    systemctl stop firewalld
    yum -y install iptables-services
    systemctl enable iptables

    cd /usr/libexec/iptables
    mv iptables.init iptables.init.backup
    wget -O iptables.init http://files.directadmin.com/services/al...1/iptables
    chmod 755 iptables.init

*** Note that it opens ssh on port 22, so make sure you either change it manually, or have physical access to your server if you're running ssh on some other port.

You'll want to test this out to ensure it works for you:

    systemctl reload iptables

to make sure you can still connect to everything ok.  If not, you may need to head to the data center to shut it off (partly why we don't offer support for firewalls)

2) The second step is to install the block_ip.sh so you can create a file that lists the IPs to be blocked.  A sample block_ip.sh can be found here.
To install this file, type:

    cd /usr/local/directadmin/scripts/custom
    wget -O block_ip.sh http://files.directadmin.com/services/al...lock_ip.sh
    wget -O show_blocked_ips.sh http://files.directadmin.com/services/al...ked_ips.sh
    wget -O unblock_ip.sh http://files.directadmin.com/services/al...lock_ip.sh
    chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh

This should activate the button in DA at:
Admin Level -> Brute Force Monitor -> IP Info -> Block IP

This particular block_ip.sh script will check to ensure that the IP you're blocking does not already exist in the list.
It will also generate the output from "iptables -nL" which should show you everything that is current blocked in the list. (iptables -nL is also output in the event the IP is already blocked, so you can see your iptables list without doing anything)

3) Create the empty block list and exempt list files:

    touch /root/blocked_ips.txt
    touch /root/exempt_ips.txt

4) This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, install the following script:

    cd /usr/local/directadmin/scripts/custom
    wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/al...tice_ip.sh
    chmod 700 brute_force_notice_ip.sh


Automating Blocking of Brute Force Attempts (FreeBSD)

If you're running FreeBSD with ipfw, you'd skip steps 1, 2 and 3, and instead, add the following code to the file:

/usr/local/directadmin/scripts/custom/block_ip.sh

    #!/bin/sh
    echo "Blocking $ip with ipfw ...<br>";
    ipfw add deny ip from $ip to any
    exit $?

and don't forget to chmod the block_ip.sh to 755.

This knowledgebase article was taken from multiple articles on the DirectAdmin knowledge base located at http://help.directadmin.com/. All credit goes to DirectAdmin for this article.
[Image: RvghcKs.png]
Reply



Forum Jump:


Users browsing this thread:
1 Guest(s)

Forum software by © MyBB Theme © iAndrew 2016