Menu

Search

GlobalSCAPE Knowledge Base


Can I automatically ban an IP address that has tried to log in incorrectly multiple times?


GlobalSCAPE 5
EFT Express (SMB) & Enterprise

THE INFORMATION IN THIS ARTICLE APPLIES TO:
  • EFT Server versions 5.x and earlier
  • Secure FTP Server (All Versions)

NOTE: You do not need to follow this procedure if you are using EFT Server versions 6 or later; you can configure autoban settings in the GUI. Refer to help for your version of EFT for details.:

QUESTION

Is there any way of auto-banning an IP address that has tried to log in incorrectly multiple times?

ANSWER

There are several methods that you can use to temporarily or permanently disallow unauthorized or problem users from accessing the Server. This article describes how to ban the IP address of users attempting to connect with a non-existing login name. (For other methods, refer to the links at the bottom of this article.)

Note: Editing and running .vbs scripts are for advanced users. If you need assistance with editing scripts, contact GlobalSCAPE's Professional Services team for assistance.

**You only need to configure this once; you can schedule Event Rules to run the script automatically at regularly scheduled intervals, as described below.**

To create the command and the script that it will execute:

  1. Download the attached script file, addbanip.vbs (or addbanip.txt and rename it with thhe .vbs extension), and save it in c:\temp.
  2. Copy the following text into a text editor (e.g., Notepad/EditPlus) and save it as batch file in c:\temp. For example, c:\temp\LogInvalidIp.bat.
  3. @echo off

    rem Simply append all arguments to the log file

    rem "%EVENT.TIME%" "%USER.LOGIN%" "%CONNECTION.REMOTE_IP%" "%EVENT.REASON%"

    %CONNECTION.LOCAL_PORT%" "%CONNECTION.PROTOCOL%"

    Echo %1 %2 %3 %4 %5 %6 %7 %8 %9 >>InvalidIp.txt

    The batch file will create a file named InvalidIp.txt whenever there is a failed connection attempt on the Server.

  4. Add a custom command on EFT. Provide any name and description, and the path to the executable (in this example, c:\temp\LogInvalidIp.bat.) Clear the Output check boxes. Do not enter ANYTHING on the Advanced or Permissions tabs.
  5. Create a User Login Failed Event Rule, and add the Execute command in folder Action. 
  6. Click in the Action to display the Custom Command dialog box.
    1. In the Select command box, click the down arrow and select your new command.
    2. Copy and paste the following variables into the Specify command parameters box (be sure to include the percent signs and quotation marks):
    3. "%EVENT.TIME%" "%USER.LOGIN%" "%CONNECTION.REMOTE_IP%" "%EVENT.REASON%" "%CONNECTION.LOCAL_PORT%" "%CONNECTION.PROTOCOL%"

    4. In the Specify command working folder box, type or click the folder icon and browse to the folder where the executable resides (c:\temp). (Note: No error checking is done to verify that you have typed a valid path.)
    5. Click OK to save the Command, then click Apply to save the rule.
  7. Open the script file that you downloaded, addbanip.vbs, and edit the variables under Constants for server details to reflect your configuration. (Because this plain-text file will contain your username/password pair, be sure to save the file in a secure location.):
    • IP address(cServer)
    • Site name (cServerSite)
    • Port, (cPort)
    • Username (cUserName)
    • Password (cPassword)
    • Log (cLogFile) file path (For this example, "c:\temp\InvalidIp.txt")
    • Temp work (cWorkFile) file path (For this example, "c:\temp\InvalidIp.wrk")
    • Your IP address to keep you from locking yourself out (cIgnoreIP)
    • E-mail variables to e-mail you when an authorized login occurs (You can comment out the calls to the e-mail subroutines to prevent the e-mails from being sent while testing.)
    • And most importantly, set the maximum number of invalid login attempts before an IP is added to the ban list (MaxInvalidLogins). Do not set this too low, because if a legitimate user "fat fingers" the login, they will be banned.

To test it:

  1. Use CuteFTP or another client to attempt to log in to the Server using a non-existant username. Repeat multiple times, until you have exceeded MaxInvalidLogins.
  2. The failed login should cause the file InvalidIp.txt to be created in c:\temp. If it is, continue. If not, troubleshoot the above steps. The contents of InvalidIp.txt should look similar to the following text (including the quotation marks):
  3. "24 Jan 08 15:14:41" "wwwww" "127.0.0.1" "Invalid password" "21" "FTP"

  4. At a command prompt, execute addbanip.vbs.
  5. Click OK through the prompts, carefully noting each one.
  6. When the prompt "Add n.n.n.n to denied IPs - click OK" appears, click OK, and the IP addresses should be added to the deny list. If you do not get that far, then most likely no IP addresses matched the criteria. You can add Print lines all through the code as necessary (e.g. Print "now checking blah blah blah") to help you debug/diagnose the script.
  7. If the script works and the IP is added to the ban list, you are set to go. You can manually run the script when necessary or setup Windows Scheduler to run the script automatically. When the script is run, it will parse InvalidIp.txt for any failed login attempts and if there are multiple failures for the same IP address (more than MaxInvalidLogins), the IP address will be banned.

For more information about blocking/disconnecting problem/unauthorized connections to EFT, refer to the following topics in the help file. 

  • Block anti-timeout schemes. Many FTP clients send random commands such as REST 0, PWD, TYPE A, LIST, etc., to the FTP server to keep the session alive while the client is idle. (Set at the Site level)
  • Configure EFT Server to automatically ban IP addresses that may potentially be associated with a DoS (Denial of Service) attack. The Flooding and Denial of Service Prevention settings can block DoS attacks in which the same IP address unsuccessfully tries repeatedly (numerous times per second) to access the Server.
  • Use the IP access restrictions list to block specific IP addresses or allow only specific IP addresses.
  • Temporarily or permanently disable user accounts after a defined number of invalid password attempts over a specified time. (Set at the User or User Setting Level only)
  • Disconnect users and optionally ban their IP address after a defined number of invalid commands. Many FTP clients send a NOOP command to the Server during idle times to keep the connection alive. If you disallow the NOOP command, it will be considered an invalid command and treated according to your settings under Disconnect after <n> invalid commands. (Set at the User or User Setting Level only)
  • Automatically disconnect users after a specified time of inactivity, set per user or at the User Setting Level, by setting a maximum idle time limit. Set at the User or User Setting Level only)
  • Temporarily or permanently disable idle user accounts (i.e., accounts that have not accessed the Server in a defined period of time.
  • Forcibly log a user off the Server. (Performed at the Server Level)
  • Disable a User Setting Level or user account or set an expiration date on a user account. Expired/disabled accounts are not removed from the Server; they can be re-enabled at any time.
  • Disconnect users after a defined number of invalid commands, but only if the username is valid and the password is bad. (If the username does not exist, it cannot be banned.)
  • Disconnect users after a specified time of inactivity

Also In This Category


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Comments require login or registration.

Details
Last Modified: 2 Months Ago
Last Modified By: kmarsh
Type: HOWTO
Rated 1 star based on 10 votes.
Article has been viewed 19K times.
Options