Open for Voting
over 1 year ago

Blocking IP if non wanted user tries to login on forbidden account

I am loking for a function to block an IP if they are trying to login on a
"forbidden account".

Example, we never log in as ADMINISTRATOR or ROOT, but many other tries this account.

Is it possible to bind an event or simular so that the IP get blocked 30
minutes or simular?

We have the inti-hammering enabled, but the people that do this are
"smart", they only tries once per minute, but on a hole day, it
becomes many tries.

Parents
  • This is actually fairly easy to do now with the current feature set and something I have done with our production environment....

    1. Create a dummy account to match what you're trying to block (root, www-data, etc...  common hack target IDs).  Make the home folder an empty, read-only folder.  Make the password a long random string of crap.

    2. On the Events tab for the user ID, create an Execute Command event for the "User Logon Failure" event.

    3. Create a CMD file on your server with this command and reference it in the event.  Pass the $IP variable to the CMD file.

    netsh advfirewall firewall add rule name = "Serv-U auto-banned" proto = any dir = in action = block enable = yes profile = any remoteip = %1

    That will create a Windows firewall rule immediately and no further traffic from the Ip will be allowed. It's been working great for us for several years.

Comment
  • This is actually fairly easy to do now with the current feature set and something I have done with our production environment....

    1. Create a dummy account to match what you're trying to block (root, www-data, etc...  common hack target IDs).  Make the home folder an empty, read-only folder.  Make the password a long random string of crap.

    2. On the Events tab for the user ID, create an Execute Command event for the "User Logon Failure" event.

    3. Create a CMD file on your server with this command and reference it in the event.  Pass the $IP variable to the CMD file.

    netsh advfirewall firewall add rule name = "Serv-U auto-banned" proto = any dir = in action = block enable = yes profile = any remoteip = %1

    That will create a Windows firewall rule immediately and no further traffic from the Ip will be allowed. It's been working great for us for several years.

Children
No Data