Open for Voting
over 1 year ago

Blocking IP if non wanted user tries to login on forbidden account

I am loking for a function to block an IP if they are trying to login on a
"forbidden account".

Example, we never log in as ADMINISTRATOR or ROOT, but many other tries this account.

Is it possible to bind an event or simular so that the IP get blocked 30
minutes or simular?

We have the inti-hammering enabled, but the people that do this are
"smart", they only tries once per minute, but on a hole day, it
becomes many tries.

  • This is actually fairly easy to do now with the current feature set and something I have done with our production environment....

    1. Create a dummy account to match what you're trying to block (root, www-data, etc...  common hack target IDs).  Make the home folder an empty, read-only folder.  Make the password a long random string of crap.

    2. On the Events tab for the user ID, create an Execute Command event for the "User Logon Failure" event.

    3. Create a CMD file on your server with this command and reference it in the event.  Pass the $IP variable to the CMD file.

    netsh advfirewall firewall add rule name = "Serv-U auto-banned" proto = any dir = in action = block enable = yes profile = any remoteip = %1

    That will create a Windows firewall rule immediately and no further traffic from the Ip will be allowed. It's been working great for us for several years.


  • +1

    Currently I'm periodically processing failed login messages on specific loginnames with a powershell script to CSV which I import. The option to have it permanently/temporarily blocked aside from the anti-hammering settings would be very welcome.

  • This is happening more and more now from various ip's. Seems like a great thing to add into the product.

  • This sounds more like something a NAC solution would do, not a monitoring one.emoticons_sad.png