Automated Failed Account/Client Login 0 Minutes Setting - How To Reset?

Question

How To Re-Set the 0 Minutes forever denied setting?

Literally within minutes after updating the server on 12/23 for one account/client are getting denied; below find both Client logs and mFTP server logs

Client log 21:30 my time 00:30 client time

12/24/2022 00:30:19 1 0 O Global *** Scripting Step Begin: [FTP_Connect_Success]
12/24/2022 00:30:19 16 0 O Global Successfully connected to FTP site mysecure.org///toHSA
12/24/2022 00:30:19 1 0 O Global *** Scripting Step End: [FTP_Connect_Success] completed.

Client log 1 hour later after the update

12/24/2022 01:30:09 4 19 O Global Error during connect: The FTP Queue Component was unable to connect to FTP Server at 'mysecure.org///toHSA.' java.net.ConnectException: A remote host refused an attempted connect operation. (Connection refused). Please verify that the server, username, password and port number are correct.
12/24/2022 01:30:09 1 19 O Global *** Queue Step End: [SFTP_Connect] failed.

The site Setting(s) are 4 times in 8 seconds, 0 Minutes blocked (forever)

Global Dashboard note: <octets removed> by me
[02] Tue 03Jan23 08:30:07 - Connection denied from IP address 63.<octets removed> (local address 192.<octets removed>, port 22)

At about 08:40, Changed 0 minutes to 1 Minutes and checking the log...
[02] Tue 03Jan23 09:30:07 - Connection denied from IP address 63.<octets removed> (local address 192.<octets removed>, port 22)

Thanks,
JeffP...

calc2014 · Answer

I have now posted about the cause of this issue with JSch and other clients in a separate specific thead.. 
 
 JSch (and other software) can't connect to Serv-U 15.3.2 
 https://thwack.solarwinds.com/product-forums/serv-u-ftp-mft/f/forum/97585/jsch-and-other-software-can-t-connect-to-serv-u-15-3-2

jeffpahf · Answer

Please check the site tab, "IP Access" the client's IP, if there as Deny, then depending on your rules, to explicitly allow select IPs then you can Allow if you have this rule to list each IP for all clients, Or if not, then delete the IP on this tab. So, I found the IP, and deleted and waited for next client automation cycle... and no more Denied

calc2014 · Answer

Thanks for the info jeffpahf - is the DSA key set at the server or domain level? If you select the old DSA key again, does it work?

calc2014 · Answer

Yes, if you need to use the old key fingerprint, maybe you can re-select it in the Management Console at the domain level and then it will retain the same fingerprint. It is located in Domain > Limits & Settings > Encryption. Worth a try? 
 For what it's worth, I have just replicated this process by creating and applying a DSA key before upgrading to 15.3.2, upgraded and it was still there and the fingerprint remains the same. 
 Was your DSA key set at the server level in the Management Console or on a specific Domain? 
 
 On the other point, yes, as you said, the snapshot will only be useful if it doesnt include the data drive. If you needed to revert you could try keeping a copy of the "Program Files" and "ProgramData" folders related to Serv-U. Theres no garuntee this would be "complete" but it is better than nothing for reverting or having something to restore from if you needed to speak to support. Might be worth raising a ticket with support about the official reverting process for 15.3.2 as others may want to know that here for testing?

calc2014 · Answer

If your users have accepted the new fingerprint it will probably be best to just leave it on an RSA fingerprint now. 
 If you need to go back to DSA or understand what happened, you'll need a copy of the old configuration from ProgramData so that you can see what fingerprint file it was pointing to before the upgrade. 
 The domain key is used first, if there isn't one defined at the domain level, the server-level key is used (see 15.3.2 release notes for a fix to this, but personally I've never had the issue).

calc2014 · Answer

The server identity is a new feature and not related. I was referring to this line in the release notes..

01085165 
 Empty Definition of a domain SSH Private Key blocks using the Server-wise defined Key.

I've not experienced this in the past but maybe it has specific circumstances. 
 
 Once your end users have accepted the RSA key you should be fine ongoing and it may best to swap to this long term anyway.

Automated Failed Account/Client Login 0 Minutes Setting - How To Reset?

Top Replies