brute_filter.list supports count_multiplier option

Version 1.52


A new option has been added to the lines in the file: /usr/local/directadmin/data/templates/brute_filter.list specifically for the wordpress3 entry, eg: wordpress3=ip_after=&ip_until= -&text=] "POST /&text2=/wp-login.php&text3=" 302%20&count_multiplier=4 What this does, is after all log parsing is done, the Brute Force Monitor will count how many entries were triggered for that item (eg: wordpress3) for that given IP. Say there were 20 triggers. The multiplier means that instead of having a limit of 100, that item needs 400. The actual logic in DA is actually backwards, as the total count uses other items, so we actually divide the number of wordpress3 counts by 4. So instead of 20 hits, the count only see 5 towards the total. This also means that is there are only 3 hits, then 3/4 = 0, so no count would be triggered for that IP. The entries will still show up in the log list, but count for that given IP (top table) would be lower. The whole purpose for this is that the entry: POST /wp-login.php HTTP/1.1" 302 could represent an attack, but could also just be a normal redirection. So we do want to count it, but it should be of lower significance. ------------------ SKIN: There are no html changes required. However, we have changed the |LOGINFAILURES| table token value. The wordpress3 attempts, which are usually 1, will now be displayed as a float / multiplier. So for this case, each wordpress3 attempt count will show 0.25. There is also a title= hover-over popup to provide info about what that's about.

Interested to try DirectAdmin? Get a 30-day Free Trial!