The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do we lock someone out for a period of time after x number of failed logins?

Discussion in 'General Discussion' started by Roy@ENHOST, Jan 22, 2005.

  1. Roy@ENHOST

    Roy@ENHOST Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    495
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Los Angeles California
    How do we lock someone out for a period of time after x number of failed logins?

    I got this from my logwatch everyday and I am sick of it.
    I know that I can do it using mod_dosevasive but is there a simpler way to do it?

     
  2. draken78

    draken78 Member

    Joined:
    Jul 8, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Brute Force Detection is the one I use(RH9 + CPanel). You have to have APF installed for it, but after three failed attempts, it will automatically add the IP to the denied list.

    APF Firewall

    These are the same people who make BFD, so the link is on the left.

    I hope it helps!
    Jim
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup, I'd go with BFD too. You can modify the action to inject the IP address directly into iptables or put it in /etc/hosts.deny if you don't use APF.
     
  4. Roy@ENHOST

    Roy@ENHOST Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    495
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Los Angeles California
    As far as my memory servers me, I think BFD also boasts the auto un-suspend feature.
    Am I right?
    It's been months ever since I install BFD on servers a.k.a. getting myself locked out accidentally. :D . Still a tad pretty paranoid about it now. :D
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Not that I'm aware of. Once they're blocked, they stay that way until you remove them manually.
     
  6. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    No auto unsuspend feature. However, if you have a static IP you connect from just

    apf -a

    it or add it manually to the allow list. APF and BFD won't ban any IPs listed there.
     
  7. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Any Ip's added to the ignore.hosts file won't be blocked.

    You can change to use iptables, rather than use APF or hosts.deny (if thats setup) by changing

    conf.bfd

    #BCMD="/etc/apf/apf -d $ATT_HOST"
    BCMD="/sbin/iptables -A INPUT -s $ATT_HOST -j DROP"
     
  8. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    I have APF and BFD installed. Even so I was getting many hack attempts everyday. BFD was too late to deny some IPs.

    So I decided to change my SSH port to something other than 22. I removed Port 22 from APF and added the new one. I also changed the listening address to another IP assigned to my server. Since then, I get almost no hack attempts in LogWatch reports.
     
  9. dianaward

    dianaward Well-Known Member

    Joined:
    Dec 9, 2002
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've had APF on all servers for a bit, 2 nights ago I

    installed BFD on 4 servers. Set up each one the same, with the same ignored IPs. Last night I was working on one of them quite a bit, had to log out and back in, and was blocked. Since I didn't know whether something was damaged by what I had been working on or if it was BFD, it took me and the techs until this morning to get me back into it. It also shut down ftp and file managers to any client who logged in more than twice. Things were back up and I was going to uninstall BFD when I was locked out again. Got warnings and block notices from BFD both times.

    So, the server has been inaccessible to me all day, and now even the techs can't get it, passed it to the datacenter. Since it is a hosting server this is bad! And, strangely enough, the other server at the same datacenter has locked me out also, and I hadn't even logged into it but once.

    The other 2 servers I put it on are in a different datacenter, whatever difference that may make, and they were running fine but I took BFD off anyway. Any ideas as to what may have happened? (Besides the fact that I didn't pay a tech to do it for me. I do know how to install scripts myself, or at least I did until this.)
     
    #9 dianaward, Jan 27, 2005
    Last edited: Jan 28, 2005
  10. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    it's a good idea to put your ip address (or /24 if you have a dynamic one) in the exception list so you can't ever be blocked.

    Perhaps you tried customizing the config too much before you even got it all running correctly? As the default config shouldn't have been so restrictive. And I've noticed that sometimes my bfd fires on httpd 404 errors... I've been meaning to change that. Perhaps something like that could have happened to you?

    What did the block emails you got say? You'll know exactly what tripped it then.
     
  11. dianaward

    dianaward Well-Known Member

    Joined:
    Dec 9, 2002
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Twitter:
    From the one server they said too many log in errors,

    the other locked me out for too many log in errors when I had never logged in. The 2 that freaked out were in the same datacenter and were P4s running older RedHat. The two that did okay were an Athelon with Redhat 9 and a P4 with Fedora. Maybe there was some OS conflict.

    The DC said that the libraries in that server were severely corrupted to the point that they could not execute any commands. Currently running commands were still working, but no new commands could be executed. They also said: I believe that BFD uses APF to block hosts that exceed the maximum allowed login attempts, but I was still able to reach your server. However, I was unable to log on with the correct password as the connection was shut down immediately after authenticating me. It would be recommended to either reload the OS, or apply admin time to fix the problem. However, there is no guarantee that we can fix the problem though admin time since there may be some corrupt libraries or programs.

    So both machines had to have the OS reloaded.
     
  12. eos1

    eos1 Well-Known Member

    Joined:
    Mar 11, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I can't see how that would help much. Isn't the IP Deny Manager just for apache access via .htaccess? Even if it were to ad IP's to /etc/hosts.deny it's not much protection.

    The best (and IMO, only) realistic solution is to use a firewall and maintain it properly, which I believe is something outside the perview of WHM and in the realms of good system management of your hardware/OS.
     
  14. ES-207261

    ES-207261 Member

    Joined:
    Jan 1, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Wow such great system admins here


    ssh in as root or su and do the following for each ip (SUB IP For XXX.XXX.XXX.XXX)

    Code:
    iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP   (HIT ENTER) 
    after your done with em

    Code:
    service iptables save  (HIT ENTER)
    service iptables restart  (HIT ENTER)

    Iptables literally drops the connection to the ip that is dropped so that to the person trying to get in the server looks as though its not even there they cant access the server in any way after you do the save command i reccomend you download

    /etc/sysconfig/iptables

    then you can add the ips in quicker then reupload ( ASCII ONLY)

    and restart it you can also use various programs in conjunction with it to auto add the ip drops BUT I Dont reccomend it because some clients/users are just dumb and forget their info and try more then three times. Best way to do it is to just make sure your root pass is a secure one consisting of alphanumeric characters such as b0b4 or whatnot and then just ban them by hand in iptables so that you can make sure you arent banning your users who are just making mistakes
     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You're completely missing the point. This thread is about automatically blocking repeated login failures. It's nothing to do with manually maintaining iptables firewalls (if you run an OS that supports it and you don't already have a firewall app already installed, which your instructions would be completely useless for) :rolleyes:

    I'd suggest that you read the thread and understand it before insulting people.
     
Loading...

Share This Page