cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Highlighted
Level 8

Can you block an IP that attempts to login as a specific user account? eg. run an executable on event login failure?

I have hackers trying to login to a server and I was sending emails when they tried to login to honeypot accounts and manually adding them to IP blocks. This gets crazy with hundreds of emails to go through a day. I was thinking maybe I could run an executable to block the IP they are trying to login from (upon failed login event).. Anyone do this?

0 Kudos
6 Replies
Highlighted
Level 10

Re: Can you block an IP that attempts to login as a specific user account? eg. run an executable on event login failure?

Serv-U's 'Event' action allows you to run a command line / program when such event occours, however I would be careful with this as it could launch many processes and you could run out of memory.

0 Kudos
Highlighted
Level 8

Re: Can you block an IP that attempts to login as a specific user account? eg. run an executable on event login failure?

I have used the command line from event before to create specialized logs to capture bad actors. I was really wondering if there was a way command to block the ip the first time a user tries to login. I haven't seen any serv-u command line options documented anywhere yet. thanks.

0 Kudos
Highlighted
Level 10

Re: Can you block an IP that attempts to login as a specific user account? eg. run an executable on event login failure?

Unfortunately there arn't any command line options directly for Serv-U. I'm not sure if the DLL integration would allow you to do it, I havent used that. If you get that working let us know!

You could use the command line to update a firewall instead - then that is in front of Serv-U entirely.

Highlighted
Level 8

Re: Can you block an IP that attempts to login as a specific user account? eg. run an executable on event login failure?

I just got a response from tech support and I'm not sure why I didn't think of this sooner. I already had created "honeypot" accounts on serv-u to notify me that they were logging in or attempting to logging in. I just change that group IP access to deny all IPs. 

0 Kudos
Highlighted
Level 10

Re: Can you block an IP that attempts to login as a specific user account? eg. run an executable on event login failure?

Thats an interesting solution. Does that mean you have to create those accounts (with some random complex password), add them to a group and the block all IPs?

The issue I can think of with this though is that they can still then try other user accounts/usernames on the same server without being blocked. So it only really blocks them if they use a honeypot account, which they get if you just dont create the account in the first place? Feel free to correct me if I'm wrong!

0 Kudos
Highlighted
Level 8

Re: Can you block an IP that attempts to login as a specific user account? eg. run an executable on event login failure?

Yes this is how I did it. I've been logging all these bot attempts to login from around the world for about a month since our firewall team opened up the port to the world (which will be changing soon). I noticed the names of accounts they were trying to login as, so I created a group and those user accounts with crazy random passwords. I just set the group to block all IPs.  I was just having it all logged or sending me emails and then ading the IPs manually to the domain which was very tedious.

0 Kudos