• State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 20 subscribers
  • Views 1338 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Can you block an IP that attempts to login as a specific user account? eg. run an executable on event login failure?

jeffdorr

I have hackers trying to login to a server and I was sending emails when they tried to login to honeypot accounts and manually adding them to IP blocks. This gets crazy with hundreds of emails to go through a day. I was thinking maybe I could run an executable to block the IP they are trying to login from (upon failed login event).. Anyone do this?

  • 0

    Serv-U's 'Event' action allows you to run a command line / program when such event occours, however I would be careful with this as it could launch many processes and you could run out of memory.

  • 0 in reply to calc2014

    I have used the command line from event before to create specialized logs to capture bad actors. I was really wondering if there was a way command to block the ip the first time a user tries to login. I haven't seen any serv-u command line options documented anywhere yet. thanks.

  • 0 in reply to jeffdorr

    Unfortunately there arn't any command line options directly for Serv-U. I'm not sure if the DLL integration would allow you to do it, I havent used that. If you get that working let us know!

    You could use the command line to update a firewall instead - then that is in front of Serv-U entirely.

  • 0 in reply to calc2014

    I just got a response from tech support and I'm not sure why I didn't think of this sooner. I already had created "honeypot" accounts on serv-u to notify me that they were logging in or attempting to logging in. I just change that group IP access to deny all IPs. 

  • 0 in reply to jeffdorr

    Thats an interesting solution. Does that mean you have to create those accounts (with some random complex password), add them to a group and the block all IPs?

    The issue I can think of with this though is that they can still then try other user accounts/usernames on the same server without being blocked. So it only really blocks them if they use a honeypot account, which they get if you just dont create the account in the first place? Feel free to correct me if I'm wrong!

  • 0 in reply to calc2014

    Yes this is how I did it. I've been logging all these bot attempts to login from around the world for about a month since our firewall team opened up the port to the world (which will be changing soon). I noticed the names of accounts they were trying to login as, so I created a group and those user accounts with crazy random passwords. I just set the group to block all IPs.  I was just having it all logged or sending me emails and then ading the IPs manually to the domain which was very tedious.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.