I wanted to block IP adressess which Directadmin recognized as source of brute force attacks. There is documentation about this for Linux and FreeBSD. I’m using PF as firewall on my system and not IPFW. There is only documentation how to create this with IPFW. So here is a little tweak and IP’s are blocked with PF automatically. Here is how:
In /etc/pf.conf create new table spammers that will persist on file /etc/spammers.
table persist file “/etc/spammers”
Create block rule so that IP addresses from spammers table will be blocked. Ifext is my network card so change this to your needs.
block drop in quick on $ifext from to any
In /usr/local/directadmin/scripts/custom/ create new script block_ip.sh and add code below.
#!/bin/sh echo “Blocking $ip with pf … ”; pfctl -t spammers -T add $ip echo $ip >> /etc/spammers exit $?
As you can see we are using command pfctl -t spammers -T add $ip which is PF syntax. When IP will be recorded it will be immediately added to table spammers and file /etc/spammers that we’ll create in next step. When pf restarts, rule is deleted from ram. But in this case IP is also stored in file /etc/spammers so it will be loaded in spammers table.
Create file /etc/spammers and save it. Thats were blocked IP’s will save.
This script must be manualy started from Directadmin administration. We can make it to run automatically. In /usr/local/directadmin/scripts/custom/ create another script named brute_force_notice_ip.sh. As specified in directadmin documentation you do that like so:
cd /usr/local/directadmin/scripts/custom wget http://files.directadmin.com/services/all/brute_force_notice_ip.sh chmod 700 brute_force_notice_ip.sh
IP’s that are listed as source of brute force attacks will now be automaticly blocked with PF.