Your IP is blacklisted: Improve functionality of localhost whitelist of 2222 (API)

Version 1.58

Bugfix
Finished

By default, too many failed connections from 127.0.0.1 on 2222 (as for any other IP) will be blocked. This will not change. The issue is that API scripts are the main trigger for 127.0.0.1 blocks, and the block text was plain html. Two changes to help clarify things: 1) Since 127.0.0.1 being blocked it 99% caused by an API script, instead of: Your IP is blacklisted... it will be changed to: error=1&text=Your IP is blacklisted... so those scripts will able to catch the error properly and display something that makes more sense. Humans should still be able to make sense of the error. Because no parsing is done on blacklisted IP, DA doesn't know if it's a CMD_* or CMD_API_* request, this is why we've opted for a standardized request. Blocked IPs (possibly caused by DOS) need to respond as efficiently as possible, and not parsing the request is the quickest way to do this. 2) DirectAdmin has an option in the Admin Settings: Prevent 127.0.0.1 from being Blacklisted [x] which controls if 127.0.0.1 can be blacklisted or not. This change here in with regards to when the 127.0.0.1 was already blacklisted, and then the feature is turned on. With this change, the 127.0.0.1 can be in the ip_blacklist file, and if the feature is enabled (exempt_local_block=1), the IP is checked for 127.0.0.1 and allowed before the ip_blacklist file is checked. Discussion was made about simply using exempt_local_block=1 by default, but as this is considered a security hole for any local account to possibly gain the admin password through any compromised php script, we've instead opted to improve all other areas where possible to help admin's solve the issue more easily. ================ SECURITY IF YOUR 127.0.0.1 IS BLOCKED Before simply unblocking it or allowing 127.0.0.1, you should check 1) your /var/log/directadmin/security.log 2) Admin: Message System for any subject "*** 127.0.0.1 has been added to the ip_blacklist file ***" to find out which username was attempted most frequently. If you're seeing many random usernames or "admin", then there might be some local script attempting to brute force their way into an account.. most likely on "admin" at that point, since they'd already have User access through some website (or similar).

Interested to try DirectAdmin? Get a 30-day Free Trial!