Add to Favourites Add to Favourites    Print this Article Print this Article

Detecting and preventing brute force login attacks

A common method of gaining access over a server is to use a technique called a brute force attack, or dictionary attack.  What the attacker will do, is use a script to try and login to an account with every possible password combination.  This tends to require tens of thousands of login attempts, but eventually, the right combination will be found, and they can login normally.

To prevent this, we can use a brute force login detection system.   DirectAdmin has 2 such systems for these attacks.

1) The original feature was created in DA 1.25.5, and will detect and block login attempts on DA itself (port 2222):

This feature only applies to port 2222. It only blocks IPs on this port. It does not block IPs from other ports.

To enable this feature, go to:

Admin Level -> Admin Settings -> Blacklist IPs for excessive login attempts

use a value around 10-20.  Note that DirectAdmin 1.52.1 and older, accessing the login page counts as one failed login, since it's an unauthorized access.  Keep that in mind when choosing a number. DA 1.53.0+ the value matches login attempts, as unauthorized accesses have been split into it's own setting.

2) The newer system works in tandem with the previous, and will scan the logs for the other services (apache, dovecot, exim, proftpd, sshd).
When an attack is detected DA will notify the Admins on the box that the attack is in progress.
DA will not block the IPs since that would require a firewall, and DA doesn't manage firewalls (see below).

To enable the detection reporting, go to:

Admin Level -> Admin Settings -> Parse service logs for brute force attacks

The brute force monitor (BFM) page can be viewed at:

Admin Level -> Brute Force Monitor

Note that DA does have hook scripts which can be used to automatically block IPs in a firewall, if you have one setup.  We have an example on such a setup, here:

Was this answer helpful?

Also Read