Total Pageviews

Thursday 21 January 2016

Automaticly block Brute-Force Attacks reported by Directadmin


To automatically block Brute-Force Attacks reported by Directadmin we will be usingsome scripts by Directadmin.

PLEASE NOTE: Be careful with this tutorial and use it at your own risk. The first commands will block your ssh access to server if you are not using the default ssh port 22. To allow your modified port number for ssh modify the iptables files accordingly.  Also, this file is written for a CentOS/Fedora type system and has not been tested on Debian or FreeBSD
First we are going to backup current iptables rules file & download a custom iptables rules file from DirectAdmin.
cd /etc/init.d
mv iptables iptables.backup
wget http://files.directadmin.com/services/all/iptables
chmod 755 iptables
You'll want to test this out to ensure it works for you:
service iptables restart
to make sure you can still connect to everything ok.  If not, you may need to head to the datacenter to shut it off.
Now let's install the block_ip.sh so you can create a file that lists the IPs to be blocked. 
cd /usr/local/directadmin/scripts/custom
wget http://files.directadmin.com/services/all/block_ip.sh
wget http://files.directadmin.com/services/all/show_blocked_ips.sh
wget http://files.directadmin.com/services/all/unblock_ip.sh
chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh
Remember to create the empty block list and exempt list files:
touch /root/blocked_ips.txt
touch /root/exempt_ips.txt
This should activate the button in DA at:
Admin Level -> Brute Force Monitor -> IP Info -> Block IP

This particular block_ip.sh script will check to ensure that the IP you're blocking does not already exist in the list.
It will also generate the output from "iptables -nL" which should show you everything that is current blocked in the list. (iptables -nL is also output in the event the IP is already blocked, so you can see your iptables list without doing anything)
This last step should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking.  To automate blocking, install the following script
cd /usr/local/directadmin/scripts/custom
wget http://files.directadmin.com/services/all/brute_force_notice_ip.sh
chmod 700 brute_force_notice_ip.sh
That's it.