Serv-U mFTP Gateway - Security

Security... and not feeling so.

In logs on mFTP domain facing Gateway there are many brute force attempts to Connect and to Login

I've set the limit to catch & block forever many attempts in short period of time vs a user who attempts a few times in a longer period of time, they too can be blocked forever

Server (desktop) Firewall is OFF to accept any IP on this domain to partners who work remote without static IP

Questions in no particular order

Firewall (desktop) configuration, is Off correct? If not correct is there any guidance/best practice on FW configuration?

Blocked IP by |Limits & Settings, |Connection Settings, |Block Settings...
a) when IP are added by these Settings, 1) they're not noted as such, 2) how to know how an IP was added to the Domain Deny List?
b) how to un-block an IP ?

Serv-U appears to be our only security and eventually the current version will be deemed Not Secure, so before then how do we close the gap?


Thanks,
JeffP...

Parents
  • adding a few logs...
    206.81.. as is 164.92... both added manually to | IP Access, set as Deny, 
    However, 140.238 was added by noted rule (which is as intended)
     
    [02] Sat 26Feb22 12:41:12 - Connection denied from IP address 206.81.25.95 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 12:41:58 - (001169) Connected to 159.223.174.13 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 12:41:58 - (001169) Closed session
    [02] Sat 26Feb22 13:31:26 - (001170) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 13:31:26 - (001170) Closed session
    [02] Sat 26Feb22 13:31:27 - (001171) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:28 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:28 - (001171) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:28 - (001171) Closed session
    [02] Sat 26Feb22 13:31:28 - (001172) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:29 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:29 - (001172) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:29 - (001172) Closed session
    [02] Sat 26Feb22 13:31:30 - (001173) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:31 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:31 - (001173) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:31 - (001173) Closed session
    [02] Sat 26Feb22 13:31:31 - (001174) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:32 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:32 - (001174) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:32 - (001174) Closed session
    [02] Sat 26Feb22 13:31:33 - (001175) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:34 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:34 - (001175) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:34 - (001175) Closed session
    [02] Sat 26Feb22 13:31:34 - Connection denied from IP address 140.238.191.78 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 13:31:35 - Connection denied from IP address 140.238.191.78 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 13:31:35 - Connection denied from IP address 140.238.191.78 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 13:42:27 - (001184) Connected to 164.92.192.200 (local address ***.***.**.***, port 22)

  • Jeffry, you do see the logs show that an elapse of n seconds to trigger a block even when the n attempts are exceeded; this is a bug or poor design? And having this One rule as with any single rule means the system is vulnerable to an intelligent attack?

Reply Children
No Data