Behavior of Server Details/IP Access/Deny settings

I assumed, incorrectly, that adding an IP or an IP range "deny" setting in Global\Server Details\IP Access would prevent that IP/IP range from being able to attempt connection to my hosts. Upon further review, it appears that it only steps into the equation after an authentication attempt is made. In their defense, it actually says "Server IP access rules are checked when a physical connection is established with the file server, but before a welcome message is sent." That's somewhat ambiguous language. If the rules are checked when a physical connection is established, then of course that happens before a welcome message is sent. Hard to send a welcome message without a physical connection.

I intended to use "deny" settings here to keep large chunks of Chinese IP blocks off our radar, and this is where the majority of our nefarious logon attempts come from. Also, occasionally, these attempts will lock out one of our user accounts. (In case you're wondering, yes, I do have the "Block users who connect more than X times within Y seconds for Z minutes" setting turned on.) Unfortunately, adding IP restrictions in this manner does not inhibit an IP from attempting to authenticate. For example, here is one of the rules (in "export" format) from one of our hosts:

"IP","Description","Allow"

"49.88.112.1-49.88.112.254","6/16/20 China","0"

And here is a chunk of the log on that host from yesterday (local IP redacted to protect the innocent):

[02] Mon 13Dec21 09:59:26 - (018537) Connected to 49.88.112.112 (local address www.xxx.yyy.zzz, port 22)
[06] Mon 13Dec21 09:59:33 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
[02] Mon 13Dec21 09:59:33 - (018537) Invalid login credentials; user: "root"; password: "**********"
[06] Mon 13Dec21 09:59:35 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
[02] Mon 13Dec21 09:59:35 - (018537) Invalid login credentials; user: "root"; password: "**********"
[06] Mon 13Dec21 09:59:35 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
[02] Mon 13Dec21 09:59:35 - (018537) Invalid login credentials; user: "root"; password: "**********"
[02] Mon 13Dec21 09:59:35 - (018537) Password wrong too many times for user "root" - disconnecting
[02] Mon 13Dec21 09:59:35 - (018537) Closed session

Maybe I should be tapping all this in as a feature request, but ideally when we enter something to deny an IP, it'd be great if it would deny the IP.

Find more posts tagged with

IP Access

server details

deny

Accepted answers

calc2014

Your original example of 49.88.112.1-49.88.112.254 I think would just be

49.88.112.*

and then your other request above 221.176.0.1 through 221.183.255.255 and 221.192.0.1 through 221.239.255.255 I think would be..

221.176-183.*.*

and

221.192-239.*.*

Let us know how you get on!

All comments

calc2014

I might be wrong here but I think it might just be because of the syntax you are using for the block rule, the hyphen does not work in that way..

https://support.solarwinds.com/SuccessCenter/s/article/Setting-IP-Access-rules-in-Serv-U?language=en_US



    The hyphen is used to denote a range of numbers, so it can only be used for IP-numbers. Simply separate the starting and ending values by a hyphen.

    For example, assume that users that need access have IP-numbers 134.56.34.128, 134.56.34.129 and 134.56.34.130. Three "allow" rules could be defined, each with one of these numbers. However, a faster way to do this is to make a single "allow" rule like this:

    Allow: 134.56.34.128-130

    The special characters "*" and "-" don't need to be at the end of the IP-numbers, any place will do. The rule 221.*.76-154.89 is perfectly OK.

66chevelle

You may be correct. I wish that were written better. Like "The rule 221.*.76-154.89 is perfectly OK" - I assume that's going to affect the IP range 221.0.76.xxx through 221.154.89.xxx?

Their only legible example is the one blocking the three IP addresses .128/129/130. I have a couple rules I want in place to block large swaths of IP's originating in China, 221.176.0.1 through 221.183.255.255 and 221.192.0.1 through 221.239.255.255. How would you interpret their implementation of the dash to write a rule blocking a range like either of those? 221.192-239?

calc2014

Your original example of 49.88.112.1-49.88.112.254 I think would just be

49.88.112.*

and then your other request above 221.176.0.1 through 221.183.255.255 and 221.192.0.1 through 221.239.255.255 I think would be..

221.176-183.*.*

and

221.192-239.*.*

Let us know how you get on!

66chevelle

I believe this has solved the dilemma. Thank you for the help. I'm blasting some enormous chunks of IP addresses from China, and my daily log files have dropped about half in size.