Automatic Blocking on Failed Login attempts
422 views
Skip to first unread message
Wheemer
May 17, 2012, 2:26:57 PM5/17/12
to rhinosoft-...@googlegroups.com
Hello;
I am testing the newest Serv-U 12.0.0.2
We have a ton of people always trying to guess usernames and passwords to connect.
I have the "Block users who connect more than..." setup and it's working ok.
However I do not want to lower these settings as we have legitimate connections that trip this on occasion.
I need to have it so that if the users login fails 5 times then block them indefinitely.
Where is this common ftp setting?
Thanks
I am testing the newest Serv-U 12.0.0.2
We have a ton of people always trying to guess usernames and passwords to connect.
I have the "Block users who connect more than..." setup and it's working ok.
However I do not want to lower these settings as we have legitimate connections that trip this on occasion.
I need to have it so that if the users login fails 5 times then block them indefinitely.
Where is this common ftp setting?
Thanks
Michael Sparks
May 18, 2012, 3:42:52 PM5/18/12
to rhinosoft-...@googlegroups.com
It seems most attacks against Serv-U are brute force against common account names: root, admin, staff, guest, test... Most of these account names we don't use. So I've created dummy accounts with a few dozen frequent targets that no legit user would be trying and set an event to run a script on login failure which adds their IP to the Windows firewall deny list.
Here's the single line of the script I call:
netsh advfirewall firewall add rule name = "Serv-U auto-banned" proto = any dir = in action = block enable = yes profile = any remoteip = %1
The firewall list gets pretty long after a while but every few months I just clear them all out. Most of those IPs won't be long-term attackers and the few that will will be blocked again on the very next attempt.
Bryan Jarvis
May 19, 2012, 11:52:47 AM5/19/12
to rhinosoft-...@googlegroups.com
Hi, Michael -
That is a great answer, and what you are doing is exactly what I want to do but there are some questions I have...
Is this netsh command available for Windows 2003 server? A google search seems to indicate Windows 2008 server only?
I also don't see the windows firewall deny list on my windows 2003 server....
Also, your single line script - is it as simple as a file named "blockip.cmd" that you point the Serv-U event to?
Michael Sparks
May 19, 2012, 11:29:26 PM5/19/12
to rhinosoft-...@googlegroups.com
Bryan,
This may not work on 2003. If I remember correctly, the 2003 firewall was only half-baked. It's really first rate in 2008r2. But there's hope: there's an implementation of Linux-style iptables for Windows that may be perfect. iptables is the #1 firewall on Linux so if the port to Windows is good, then that's the way to go: http://wipfw.sourceforge.net/index.html . Command line and scriptable, of course!
And yes, I have a .cmd file with that single line in it for Serv-U to run on logon failure for the trap IDs. For login failures that aren't to the trap accounts, you might want to run a script that just records the time, IP and account ID so you can get a feel for which IDs are getting hammered on. You may find some you want to add as traps
Reply all
Reply to author
Forward
0 new messages