Serv-U Security Problems - IP Address Blocks

Here is a starting point for IP address to block.

I would very much like it if Solarwinds followed and implemented changes that the Forums come up with. However given I have seen messages that are 8 years old and I still do not see the requested features added I doubt that this will happen. I could give adjectives to describe Solarwinds, but what would be the point.

This post is to help the community that uses Serv-U and would like to increase there security by blocking a few IP addresses.

Best of Luck,

Tracybad-list.csv

Parents
  • Hope this is On Topic - the rule to block a "user" who tries 4 times in 30 seconds and block for 5 minutes may punish a "person" but not a BOT

    Changing the rule to, 4 times in 8 seconds and block forever will not likely block a person, "what person tries 4 times in 8 seconds?", but this seems harsh, and may block a BOT, but not all BOTs; some are sophisticated and try on one IP, see when they're blocked and with a different IP then try 3 times every 60 seconds FOREVER

    There should be an unlimited number of Rules not One Rule. And with just a little bit of thinking, create a few rules that will make it difficult for BOTs to make too many attempts before they're blocked.

    And last shot on this, if the rule is 4 times in 8 seconds, the block does not occur until 8 seconds, so if a BOT tries 5 or more times, they should be immediately blocked, but what I've seen in the logs, is that the programmers setup to wait till 8 seconds (whatever the value is in seconds, I'm simply using 8 seconds here), the keyword "within" means for example 6 times in 7 seconds they're blocked, but that's not what happens.

    Please fix the bug, and add more rules.

    Thanks

  • This is a long overdue request found in previous posts as well. Including "blacklisted" usernames which also trigger immediate block and country CIDr blocks.

  • here, here..!

    But the items to block by are too limited, consider that what I've seen is hackers guessing at the User Name, they could get lucky. And also what appears to be a bot set to get caught/blocked but then use the default SW as key, and then work-around, And also a bug, if it was 4 tires in 6 minutes, the next attack was 3 tries every 10 minutes and was never caught, so there should be more than one-rule to block. Consider that a user will not try 3-4 times in 30 seconds, but a bot will.

    For our install we have two domains, one white-list only works great, but we have another for our partners w/out static IP, so we allow all and block by rule, but that catches only those that the rule catches. A few times a month I check for users not in our list and block those IP.

    ...rant over, wish'n all a good day

  • Please submit to support so this is included as a formal feature request

Reply Children