Serv-U mFTP Gateway - Security

Security... and not feeling so.

In logs on mFTP domain facing Gateway there are many brute force attempts to Connect and to Login

I've set the limit to catch & block forever many attempts in short period of time vs a user who attempts a few times in a longer period of time, they too can be blocked forever

Server (desktop) Firewall is OFF to accept any IP on this domain to partners who work remote without static IP

Questions in no particular order

Firewall (desktop) configuration, is Off correct? If not correct is there any guidance/best practice on FW configuration?

Blocked IP by |Limits & Settings, |Connection Settings, |Block Settings...
a) when IP are added by these Settings, 1) they're not noted as such, 2) how to know how an IP was added to the Domain Deny List?
b) how to un-block an IP ?

Serv-U appears to be our only security and eventually the current version will be deemed Not Secure, so before then how do we close the gap?


Thanks,
JeffP...

  • b) how to un-block an IP, find it in the list of Deny and remove (do not set to allow, simply remove)

  • adding a few logs...
    206.81.. as is 164.92... both added manually to | IP Access, set as Deny, 
    However, 140.238 was added by noted rule (which is as intended)
     
    [02] Sat 26Feb22 12:41:12 - Connection denied from IP address 206.81.25.95 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 12:41:58 - (001169) Connected to 159.223.174.13 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 12:41:58 - (001169) Closed session
    [02] Sat 26Feb22 13:31:26 - (001170) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 13:31:26 - (001170) Closed session
    [02] Sat 26Feb22 13:31:27 - (001171) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:28 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:28 - (001171) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:28 - (001171) Closed session
    [02] Sat 26Feb22 13:31:28 - (001172) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:29 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:29 - (001172) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:29 - (001172) Closed session
    [02] Sat 26Feb22 13:31:30 - (001173) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:31 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:31 - (001173) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:31 - (001173) Closed session
    [02] Sat 26Feb22 13:31:31 - (001174) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:32 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:32 - (001174) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:32 - (001174) Closed session
    [02] Sat 26Feb22 13:31:33 - (001175) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:34 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:34 - (001175) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:34 - (001175) Closed session
    [02] Sat 26Feb22 13:31:34 - Connection denied from IP address 140.238.191.78 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 13:31:35 - Connection denied from IP address 140.238.191.78 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 13:31:35 - Connection denied from IP address 140.238.191.78 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 13:42:27 - (001184) Connected to 164.92.192.200 (local address ***.***.**.***, port 22)

  • One aspect is that it takes the entire Time to Block, meaning if the limit were
    4 Times in 8 Seconds, then the Block will not occur after 5 time until/unless 8 seconds have elapsed

    Instead the rule implies that exceeding 4, at the 5th attempt at [02] Sat 26Feb22 13:31:31 the block/Connection denied should have occurred, instead it wasn't until after the 6th attempt and 8 seconds elapsed

    Is the above as intended? Meaning if the limit were 10 times in 60 seconds, the IP would Not be blocked if they tried 100 times until 60 seconds elapsed...

  • Jeffry, you do see the logs show that an elapse of n seconds to trigger a block even when the n attempts are exceeded; this is a bug or poor design? And having this One rule as with any single rule means the system is vulnerable to an intelligent attack?