I have hackers trying to login to a server and I was sending emails when they tried to login to honeypot accounts and manually adding them to IP blocks. This gets crazy with hundreds of emails to go through a day. I was thinking maybe I could run an executable to block the IP they are trying to login from (upon failed login event).. Anyone do this?
Serv-U's 'Event' action allows you to run a command line / program when such event occours, however I would be careful with this as it could launch many processes and you could run out of memory.
I have used the command line from event before to create specialized logs to capture bad actors. I was really wondering if there was a way command to block the ip the first time a user tries to login. I haven't seen any serv-u command line options documented anywhere yet. thanks.
Unfortunately there arn't any command line options directly for Serv-U. I'm not sure if the DLL integration would allow you to do it, I havent used that. If you get that working let us know!
You could use the command line to update a firewall instead - then that is in front of Serv-U entirely.
I just got a response from tech support and I'm not sure why I didn't think of this sooner. I already had created "honeypot" accounts on serv-u to notify me that they were logging in or attempting to logging in. I just change that group IP access to deny all IPs.
Thats an interesting solution. Does that mean you have to create those accounts (with some random complex password), add them to a group and the block all IPs?
The issue I can think of with this though is that they can still then try other user accounts/usernames on the same server without being blocked. So it only really blocks them if they use a honeypot account, which they get if you just dont create the account in the first place? Feel free to correct me if I'm wrong!
Yes this is how I did it. I've been logging all these bot attempts to login from around the world for about a month since our firewall team opened up the port to the world (which will be changing soon). I noticed the names of accounts they were trying to login as, so I created a group and those user accounts with crazy random passwords. I just set the group to block all IPs. I was just having it all logged or sending me emails and then ading the IPs manually to the domain which was very tedious.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.