Automaticly block Brute-Force Attacks reported by Directadmin / CentOs 1393/05/19

To automatically block Brute-Force Attacks reported by Directadmin we will be using some scripts by Directadmin.

PLEASE NOTE: Be careful with this tutorial and use it at your own risk. The first commands will block your ssh access to server if you are not using the default ssh port 22. To allow your modified port number for ssh modify the iptables files accordingly.  Also, this file is written for a CentOS/Fedora type system and has not been tested on Debian or FreeBSD

First we are going to backup current iptables rules file & download a custom iptables rules file from DirectAdmin.

cd /etc/init.d
mv iptables iptables.backup
wget http://files.directadmin.com/services/all/iptables
chmod 755 iptables

You'll want to test this out to ensure it works for you:

service iptables restart

to make sure you can still connect to everything ok.  If not, you may need to head to the datacenter to shut it off.
Now let's install the block_ip.sh so you can create a file that lists the IPs to be blocked.

cd /usr/local/directadmin/scripts/custom
wget http://files.directadmin.com/services/all/block_ip.sh
wget http://files.directadmin.com/services/all/show_blocked_ips.sh
wget http://files.directadmin.com/services/all/unblock_ip.sh
chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh

Remember to create the empty block list and exempt list files:

touch /root/blocked_ips.txt
touch /root/exempt_ips.txt

This should activate the button in DA at:
Admin Level -> Brute Force Monitor -> IP Info -> Block IP

This particular block_ip.sh script will check to ensure that the IP you're blocking does not already exist in the list.
It will also generate the output from "iptables -nL" which should show you everything that is current blocked in the list. (iptables -nL is also output in the event the IP is already blocked, so you can see your iptables list without doing anything)

This last step should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking.  To automate blocking, install the following script

cd /usr/local/directadmin/scripts/custom
wget http://files.directadmin.com/services/all/brute_force_notice_ip.sh
chmod 700 brute_force_notice_ip.sh

That's it. If you are using any other services like squid or openvpn be sure to modify the iptables rules file and restart the iptables service for the changes to be effective.

Comments

Vahid — 2014-09-17
Prefect, I was looking for this tutorial so long ago :)
Thanks Arash.
Fahad — 2015-02-23
Password crackers are using automated scripts to target websites to hack the passwords and Brute Force Attacks have become a common thing, but many don't know the concept behind it and how these attacks are so successful at cracking the passwords of the websites.

The easiest method to block such attacks is by blacklisting the IPs that carry out such abuses, many hosting providers have added Brute Force Attacks protection in their added security features.

For more information about these attacks read: http://www.cloudways.com/blog/what-is-brute-force-attack/
Hesam Jaferi — 2016-06-03
thanks Mr. Milani

Any thoughts? Please leave a reply

I'll use your email to show your picture using gravatar. I hate spam too.
Back to home

I'm Arash Milani, hacker & happiness ninja.
@narmand is our teams's lab to experiment awesome things in it.

I write and talk about hacking, developing web apps, teamwork and designing for better user experience.

You can always contact me via me[at]arashmilani.com email address.