• State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 21 subscribers
  • Views 1769 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Serv-U mFTP Gateway - Security

jeffpahf

Security... and not feeling so.

In logs on mFTP domain facing Gateway there are many brute force attempts to Connect and to Login

I've set the limit to catch & block forever many attempts in short period of time vs a user who attempts a few times in a longer period of time, they too can be blocked forever

Server (desktop) Firewall is OFF to accept any IP on this domain to partners who work remote without static IP

Questions in no particular order

Firewall (desktop) configuration, is Off correct? If not correct is there any guidance/best practice on FW configuration?

Blocked IP by |Limits & Settings, |Connection Settings, |Block Settings...
a) when IP are added by these Settings, 1) they're not noted as such, 2) how to know how an IP was added to the Domain Deny List?
b) how to un-block an IP ?

Serv-U appears to be our only security and eventually the current version will be deemed Not Secure, so before then how do we close the gap?


Thanks,
JeffP...

Parents
  • 0

    adding a few logs...
    206.81.. as is 164.92... both added manually to | IP Access, set as Deny, 
    However, 140.238 was added by noted rule (which is as intended)
     
    [02] Sat 26Feb22 12:41:12 - Connection denied from IP address 206.81.25.95 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 12:41:58 - (001169) Connected to 159.223.174.13 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 12:41:58 - (001169) Closed session
    [02] Sat 26Feb22 13:31:26 - (001170) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 13:31:26 - (001170) Closed session
    [02] Sat 26Feb22 13:31:27 - (001171) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:28 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:28 - (001171) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:28 - (001171) Closed session
    [02] Sat 26Feb22 13:31:28 - (001172) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:29 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:29 - (001172) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:29 - (001172) Closed session
    [02] Sat 26Feb22 13:31:30 - (001173) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:31 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:31 - (001173) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:31 - (001173) Closed session
    [02] Sat 26Feb22 13:31:31 - (001174) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:32 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:32 - (001174) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:32 - (001174) Closed session
    [02] Sat 26Feb22 13:31:33 - (001175) Connected to 140.238.191.78 (local address ***.***.**.***, port 22)
    [06] Sat 26Feb22 13:31:34 - Event: USER_LOGIN_FAILURE (Event 03); Type: EVENT LOG
    [02] Sat 26Feb22 13:31:34 - (001175) Invalid login credentials; user: "root"; password: "**********"
    [02] Sat 26Feb22 13:31:34 - (001175) Closed session
    [02] Sat 26Feb22 13:31:34 - Connection denied from IP address 140.238.191.78 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 13:31:35 - Connection denied from IP address 140.238.191.78 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 13:31:35 - Connection denied from IP address 140.238.191.78 (local address ***.***.**.***, port 22)
    [02] Sat 26Feb22 13:42:27 - (001184) Connected to 164.92.192.200 (local address ***.***.**.***, port 22)

  • 0 in reply to jeffpahf

    Jeffry, you do see the logs show that an elapse of n seconds to trigger a block even when the n attempts are exceeded; this is a bug or poor design? And having this One rule as with any single rule means the system is vulnerable to an intelligent attack?

Reply
  • 0 in reply to jeffpahf

    Jeffry, you do see the logs show that an elapse of n seconds to trigger a block even when the n attempts are exceeded; this is a bug or poor design? And having this One rule as with any single rule means the system is vulnerable to an intelligent attack?

Children
No Data

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.