Block IPs with Brute Force Monitor in DirectAdmin using CSF
Source: https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm
Regular install of CSF
cd /usr/local/src wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf ./install.directadmin.sh
Now login as Admin into directadmin or WHM, and click the link ConfigServer Security & Firewall
You'll probably want to add your WAN IP here--you can find out what it is here: http://www.ip-secrets.com/
Then add your WAN IP into Quick Allow column.
Next click Firewall Configuration and set testing to 0, ti disable testing mode
Testing = 0
TCP_IN =20,21,22,25,53,80,110,143,443,465,587,993,995,2222,CUSTOMPORT
If you use git you'll also want to add it to TCP_OUT:
TCP_OUT = 20,21,22,25,53,80,110,113,443,587,993,995,2222
Also if you are hosting a git repository on your server you'll want to add it to TCP_IN:
TCP_IN = 20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,2222,9418
You can leave the rest as is. Scroll down to the bottom of the page, and click the Change button to save your changes.
Then after your firewall is up and running, you can click the Check Server Security button, to see what security vulnerabilities your server may have. NOTE: you don't need to fix everything in red (there are some PHP functions that you may rely on) , but you should fix the easy ones like adding noexec,nosuid to your /etc/fstab.
As long as you're in the upper yellow score (70+) you should be fine.
Set CSF to ignore certain long running processes
CSF has good default setting for ignoring long running processes, but there are still a few you may want to add.
Example, if you're using dovecot managesieve-login you'll get a ton of warnings like:
lfd on server.somesserver.com: Suspicious process running under user dovecot
To avoid that, we have to edit /etc/csf/csf.pignore
vi /etc/csf/csf.pignore
Make sure it looks something like this. I've added exe:/usr/libexec/dovecot/managesieve-login and exe:/usr/bin/memcached
exe:/usr/sbin/sshd exe:/usr/sbin/proftpd exe:/usr/libexec/gam_server exe:/usr/sbin/named exe:/usr/sbin/exim exe:/usr/sbin/mysqld exe:/usr/sbin/mysqld_safe exe:/usr/libexec/hald-addon-acpi exe:/usr/sbin/hald exe:/bin/dbus-daemon exe:/usr/bin/dbus-daemon-1 exe:/usr/libexec/hald-addon-keyboard exe:/usr/libexec/dovecot/pop3-login exe:/usr/libexec/dovecot/imap-login exe:/usr/local/directadmin/directadmin exe:/usr/local/directadmin/dataskq exe:/usr/sbin/httpd exe:/usr/bin/dbus-daemon exe:/usr/local/mysql-5.1.54-linux-x86_64/bin/mysqld exe:/usr/libexec/dovecot/anvil exe:/usr/sbin/ntpd exe:/sbin/ntpd exe:/usr/libexec/dovecot/pop3 exe:/usr/libexec/dovecot/imap exe:/usr/local/libexec/dovecot/pop3 exe:/usr/local/libexec/dovecot/pop3-login exe:/usr/local/libexec/dovecot/imap exe:/usr/local/libexec/dovecot/imap-login exe:/usr/libexec/dovecot/managesieve-login exe:/usr/bin/memcached
Now restart CSF
csf -r
or
service csf restart
And... we're done.