Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

Can you block an IP that attempts to login as a specific user account? eg. run an executable on event login failure?

I have hackers trying to login to a server and I was sending emails when they tried to login to honeypot accounts and manually adding them to IP blocks. This gets crazy with hundreds of emails to go through a day. I was thinking maybe I could run an executable to block the IP they are trying to login from (upon failed login event).. Anyone do this?

0 Kudos
6 Replies
Level 10

Serv-U's 'Event' action allows you to run a command line / program when such event occours, however I would be careful with this as it could launch many processes and you could run out of memory.

0 Kudos

I have used the command line from event before to create specialized logs to capture bad actors. I was really wondering if there was a way command to block the ip the first time a user tries to login. I haven't seen any serv-u command line options documented anywhere yet. thanks.

0 Kudos

Unfortunately there arn't any command line options directly for Serv-U. I'm not sure if the DLL integration would allow you to do it, I havent used that. If you get that working let us know!

You could use the command line to update a firewall instead - then that is in front of Serv-U entirely.

I just got a response from tech support and I'm not sure why I didn't think of this sooner. I already had created "honeypot" accounts on serv-u to notify me that they were logging in or attempting to logging in. I just change that group IP access to deny all IPs. 

0 Kudos

Thats an interesting solution. Does that mean you have to create those accounts (with some random complex password), add them to a group and the block all IPs?

The issue I can think of with this though is that they can still then try other user accounts/usernames on the same server without being blocked. So it only really blocks them if they use a honeypot account, which they get if you just dont create the account in the first place? Feel free to correct me if I'm wrong!

0 Kudos

Yes this is how I did it. I've been logging all these bot attempts to login from around the world for about a month since our firewall team opened up the port to the world (which will be changing soon). I noticed the names of accounts they were trying to login as, so I created a group and those user accounts with crazy random passwords. I just set the group to block all IPs.  I was just having it all logged or sending me emails and then ading the IPs manually to the domain which was very tedious.

0 Kudos