Who use's Brut Force Scripts

Portal Home > Knowledgebase > Articles Database > Who use's Brut Force Scripts

Posted by ParagonHost, 02-08-2013, 12:05 PM
Greeings, We currently run CSF on our linux box's and use the Brut Force Attack feature. We do not use the cPanel cPHulk feature of WHM We use these features on our managed services offerings but not on our general shared hosting. Question is, how many of you use either one of the two features above? Reason is, we tend to spend some time with our managed offering unblocking IP's , many of the SOHO users with dynamic IP's - they tend to block them self's for one reason or another. We are also concerned that some users may perceive this as a degraded service offering (no mater how many times we try to educate the client) Is is just better "not" to use any Brut Force Attack Scripting? I will setup a poll for usage stats on the two features above. Thanks for your input! Dave Last edited by ParagonHost; 02-08-2013 at 12:11 PM.
Posted by RobertClarke, 02-08-2013, 12:11 PM
I have problems with clients accidentally blocking myself too, it's one minor disadvantage to using CSF.
Posted by PCS-Chris, 02-08-2013, 12:13 PM
Same here, we've even had a couple of clients get frustrated to the point that they switched providers despite our best efforts to advise them on how to configure their clients to avoid the issues. There are a couple of addons you can get for cPanel so users can unban themselves but obviously that assumes they have another internet connection or proxy they can use to login.
Posted by LampNetworks, 02-08-2013, 12:24 PM
I use both of the above and used to have similar problems with clients getting themselves blocked. I have been using a free unblock module now for several months that has fixed the problem. Depending how you set it up, clients can either unblock themselves or WHMCS can auto remove the block when a client logs in. You can't use the module if WHMCS is on the same server as your clients. Free IP unblock module: http://projects.serverping.net/proje...ckip/wiki/Wiki Edit: I think you should have a fourth option in your poll for those who use both. Last edited by LampNetworks; 02-08-2013 at 12:31 PM.
Posted by serve-you, 02-08-2013, 12:25 PM
It's a fine line between security and customer happiness. I'm honestly of the opinion that security generally trumps. I would never disable a security function because a small percentage of users are getting blocked for doing something they shouldn't be doing anyway. I use both csf/lfd & cphulk. You usually just need to tweak the thresholds to reasonable limits. The defaults tend to be a bit agressive in some cases.
Posted by TravisT-[SSS], 02-08-2013, 01:04 PM
Use the messenger service and display a message so they know what has happened and how to fix it.
Posted by ParagonHost, 02-10-2013, 08:38 PM
Thanks all for the comments / good points. Thanks @SolidShellSecurity - the enable of messenger in CSF sounds like the best solution at this point. Take care! Dave
Posted by SarahA, 02-10-2013, 09:28 PM
We use CSF for blocking, however I think that if you offer the reset password under cPanel then you may stop some clients from getting banned. We see a lot of clientele getting banned mainly from keep trying to FTP into an account. Since FTP client's usually automatically try to reconnect on a failed password, that's the issue, another thing you could do to stop people being banned is ask clients to mail you there IP'S if they are frequent at getting banned, and then add them to CSF's ignore list, now that would be a pretty nice add on for a billing system. who knows that may solve your issue.
Posted by ParagonHost, 02-10-2013, 10:35 PM
198Host , yeah I agree - FTP is a common app that is the cause of blocking for sure. Good tips ... For those whom do not know how to enable the messenger in CSF here is what I found: Here are the exact steps in case anyone else need help with it: 1) Upgrade CSF in the server to the latest version from your WHM. 2) Open /etc/csf/csf.conf 3) search for "MESSENGER" and change it to MESSENGER = "1" 4) In command line add a user using the command useradd csf -s /bin/false 5) restart csf and lfd. You are done :-) If you want to customize the blocked page, you can change the index.html page located at /etc/csf/messenger Have a great week all! Dave
Posted by ParagonHost, 02-10-2013, 10:39 PM
byezan , thanks for the tip on the unblock script / kinda cool. Yes - I wanted to edit the poll to add that question of running both but too late. Perhaps others can just comment on running both if that is the case. Anyway... Cheers, Dave
Posted by ParagonHost, 02-11-2013, 09:40 AM
Sorry - not trying to bump this thread but below is some good info to know about the CSF Messenger service related to ipt_REDIRECT needed on the box. Here is the snip direct from the config file as well as a clear description of what messenger in CSF does : ############################################################################### # SECTION:Messenger service ############################################################################### # Messenger service. This feature allows the display of a message to a blocked # connecting IP address to inform the user that they are blocked in the # firewall. This can help when users get themselves blocked, e.g. due to # multiple login failures. The service is provided by two daemons running on # ports providing either an HTML or TEXT message. # # This feature does not work on servers that do not have the iptables module # ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS # server admins should check with their VPS host provider that the iptables # module is included. # # For further information on features and limitations refer to the csf # readme.txt # # Note: Run /etc/csf/csftest.pl to check whether this option will function on # this server # # 1 to enable, 0 to disable
Posted by FastServ, 02-11-2013, 04:13 PM
set the block threshold a little high (e.g. 50 failures or more for all settings) to prevent false positives and still catch attacks.
Posted by ParagonHost, 02-16-2013, 04:55 PM
Good tip / Thanks! We may opt for this solution VS the Messenger Cheers, Dave

Add to Favourites Print this Article