Ipswitch Forums / Ipswitch Products / WS_FTP Server / IP based automatic ban / Latest Posts

RE: IP based automatic ban

kevin r gillis — Mon, 05 May 2008 18:45:53 GMT

Hello All,

regarding this request (ability to easily and manually add banned IP addresses), you can do this via the Access Control list in Server 6.1. The automatic blocking is scheduled for the next major release.

Are there any more details on "easily input" that you can share (e.g. such as importing from a csv, being able to enter a starting and ending range or wildcards, etc.)?

harmia (4/16/2008) - Same boat here, I wish there was to easily input banned IP address using know IP blocks from specific countries.

bye for now,

RE: IP based automatic ban

johnniewalker — Fri, 25 Apr 2008 12:56:38 GMT

[quote][b]kevin r gillis (4/16/2008)[/b][hr]hello all,

excellent feature request.

the ability to auto block IP addresses is tentatively set for the next major server released. this work is already completed and feature complete. the system admin can now populate a white or black list and auto populate the blacklist based on x consecutive failed logins after x mins or hours from the same IP address. the offending IP Address will be automatically added to the blacklist for a settable period of time (hours, days, months, forever). we'll be releasing this to the TPP in the coming 1-2 months. I'll add the request to be able to manually add offending IP addresses (versus automatic population of offending IP addresses).

hope this helps.

bye for now,[/quote]

Kevin, we've been waiting years for this! I hope this will also qualify as an event so an email can be sent with this event and that the ip address and the hostname are also variables that can be included in the emails! Remember this?

there may a few possibilities here for new features.

1. in the error message, include the user id or ip address or both.

Failed Login - Fri Feb 03 14:16:17 2006

*** There has been an excessive number of failed login attempts for the userid kevin@abc.com at ip address 123.123.123.12 - on host abc.com

2. In FTP Server 5, there currently is a rule for Failed Logins which can then kick-off an email/sms/pager/external applicatoin to notify you of a user reaching the failed login limit. i will check into whether we can include the IP address in the notification that is fired off.

3. after x failed logins from same ip address, then automatically put the ip addy on the blocked list until the admin pulls it off or for a settable # of days (e.g. 30 days).

Comments on the above?

bye for now,

RE: IP based automatic ban

BML — Thu, 24 Apr 2008 10:43:13 GMT

The automatic blacklist for failed logons feature would be a huge bonus. I also would like to block IP ranges, if possible.

RE: IP based automatic ban

I3rand0 — Thu, 17 Apr 2008 09:42:24 GMT

[quote][b]kevin r gillis (4/16/2008)[/b][hr]hello all,

excellent feature request.

hope this helps.

bye for now,[/quote]

Thanks for the update Kevin.

[quote][b]harmia (4/16/2008)[/b][hr]Same boat here, I wish there was to easily input banned IP address using know IP blocks from specific countries.[/quote]

Please add this to next release as well, thanks!

RE: IP based automatic ban

kevin r gillis — Wed, 16 Apr 2008 16:26:14 GMT

hello all,

excellent feature request.

hope this helps.

bye for now,

RE: IP based automatic ban

harmia — Wed, 16 Apr 2008 14:29:13 GMT

Same boat here, I wish there was to easily input banned IP address using know IP blocks from specific countries.

RE: IP based automatic ban

DaveS — Mon, 14 Apr 2008 12:54:33 GMT

Add me to the list of customers that would love to see this feature added.

RE: IP based automatic ban

I3rand0 — Fri, 11 Apr 2008 15:26:00 GMT

Has there been any update to this? I'm having the exact same issue with dictionary hacking. Automatic ban is a feature that absoletely needs to be in the next release.

RE: IP based automatic ban

Camman — Wed, 09 Apr 2008 12:25:42 GMT

Just wanted to chime in that I am having the exact same problem. The same ip address just bombarding my WS_FTP Server with random usernames and passwords. Unfortunately I can lock real accounts that have been tried "X" number of times, but, because they are just using randomly generated usernames and passwords there is no way to block but to manually put each IP address into the blacklist as I notice the attacks.

It seems like it should be possible to automatically ban a specific IP address if it has attempted to log in using hundreds of different usernames, but I cannot seem to locate a way to do this, is it at all possible?

RE: IP based automatic ban

Rand-O — Wed, 09 Apr 2008 11:41:21 GMT

I am in the same boat. I figured that as soon as we opened up SSH to the outside, that we would immediately be attacked - I was correct. I have a dozen or so denied IP addresses so far of people who have launched fairly intense dictionary style attacks. Unfortunately this creates a bit of a DOS for any legitimate FTP users as it busies out the FTP server.

Other FTP servers have a "shun" feature which automatically prevents this type of attack. Any suggestions on how to prevent this would be good- or at least give us some encouragement that IPSWITCH is aware of the issue and is working on a fix.

Thanks!

RE: IP based automatic ban

JodyG — Fri, 04 Apr 2008 13:51:14 GMT

We are experiencing the same issue, any suggestions would be great received.

IP based automatic ban

Garjala — Tue, 25 Mar 2008 06:51:47 GMT

We are running WS FTP Server with SSH. Problem is that someone is running somekind of dictionary based hacking system against server. I would like to know if server can be configured to automatically ban IP for selected time if failed login count from it is exceeded? I know that some other FTP servers can do this, but I am not sure about WS FTP Server with SSH.