IP Filtering

Question

A little about what I am up against.
Internet sites get pounded hard. I get around 5 Auto-Bans a day. Then I notice sites who try to make a password guess 3 per hour to avoid banning. If I change the the settings to ban for 8 guess in 3 hours I catch these I think. However, I am not sure that if you guess 10 times per minute that it is banned until the 3 hours are up. This would allow hundreds of guesses before being banned. Am I wrong?
So obviously changing to a white list would be preferable. The problem there is that If your users are on wireless cards from Verizon, AT&T. T-Mobil, etc... the IP Address changes every time the user connects. I hesitate opening up the white list to entire blocks of a provider unless the auto ban feature will allow auto-banning a single IPs within an allowed IP range.
As an aside, it would be more accurate to allow a sub-net range using cidr notation. not all sub-nets are on 16 bit boundaries.

Thanks for any help or advice provided.

Brian

Answer 1

Hi Brian

A little about what I am up against.
Internet sites get pounded hard. I get around 5 Auto-Bans a day. Then I notice sites who try to make a password guess 3 per hour to avoid banning. If I change the the settings to ban for 8 guess in 3 hours I catch these I think. However, I am not sure that if you guess 10 times per minute that it is banned until the 3 hours are up. This would allow hundreds of guesses before being banned. Am I wrong?

The auto-ban checks are run each time a login fails - they don't run on a timer, so what should happen is that they get autobanned on their 8th failed attempt within the three hour period, regardless of how quickly they happen. Is it misbehaving for you?

So obviously changing to a white list would be preferable. The problem there is that If your users are on wireless cards from Verizon, AT&T. T-Mobil, etc... the IP Address changes every time the user connects. I hesitate opening up the white list to entire blocks of a provider unless the auto ban feature will allow auto-banning a single IPs within an allowed IP range.

Yes, this is a problem. I don't have a solution for you. The latest version of CompleteFTP allows you to specify more password rules (mixed-case, digits and special characters), so it's a good idea to enable those.

As an aside, it would be more accurate to allow a sub-net range using cidr notation. not all sub-nets are on 16 bit boundaries.

We've added a todo for this.

- Hans (EnterpriseDT)

Answer 2

Hans,
thanks for your reply.

I do not think the auto-ban is misbehaving. I just was having a hard time interpreting the data.

I am using the better password requirements.

After reading some other posts and replies I finally understand what you have been telling others. Let your firewall be your first line of defense. Let the firewall implement an adequate whitelist and allow the auto-ban to get the individual IPs. Between these two levels of security I will get what I am looking for.

Thanks for your help.

Brian

Answer 3

Hi Brian

Is there anything that you can think of that would've made it easier to interpret the data? I mean, are there any improvements that we can make?

- Hans (EnterpriseDT)

Answer 4

I am trying to read the logs to gain a complete picture of what is going on. It is not obvious to me what each log is for, so I have to look at ServiceErrors, ServiceRecent, and Audit. As well as look at Monitoring/Auto-Bans. To try to make it easier on myself I import the logs into Splunk. The problem there is that Splunk can import them easy enough, however, there are no recognizable key fields to search on. Splunk provides a little help on this http://dev.splunk.com/view/SP-CAAADP6. Basically make keys like IP_Addr=129.138.111.222 or IN_Addr=129.138.111.222. USERNAME=localuser. And put messages in quotes.
Possibly something like:
2012-06-04 11:31:42,444 INFO AutoBanner [771] IP_address=129.238.111.222 was banned for 2000000s after 9 attempts over a period of 10800000s
2012-06-05 04:59:17,919 INFO SocketListener "Denied connection" on port=22 from IP_ADDR=129.138.111.222 due to rule="Deny 129.138.111.222"
The above should possibly be WARN rather than INFO
2012-06-04 15:32:46,603 WARN HTTPConnection "Authentication failed" for user=fred from IP_ADDR=129.238.111.222 Error="Logon failure: unknown user name or bad password"
2012-06-04 14:54:12,713 INFO WindowsImpersonation "Windows logon succeeded" for user=fred from IP_ADDR=129.238.111.222 - Interactive

If all the important security relevant information was in Audit or a separate security log, that would be helpful.

Also there seems to be a math or unit error in the logs.
IP address 111.222.333.444 was banned for 2000000s after 9 attempts over a period of 10800000s <-- should be 10800.

In the above case what I really want is 8 failures without a success over any time period to result in a permanent ban. Harsh I know, but, the internet is an icky place.

Just some of my thoughts. I hope it helps.

Brian

Answer 5

Yes, thank you, that was very helpful.

Regarding the log files, we've changed the names of the logs to errors.log and diagnostics.log. The console and service versions will both use the same files. Also the errors.log file will contain only errors, so that should make it much clearer.

We've fixed the error which showed the wrong times in auto-ban messages.

With respect to banning anyone who fails 9 times, you can just use a really long period - e.g. one year.

I'm not sure about tagging fields, such as the IP address. Do you mean that these tags should appear on every line so that you can, for example, select all the log-lines with a particular IP address?

- Hans (EnterpriseDT)

Answer 6

Yes, I want to be able to search. I should be able to pull out all the messages from one session, even if multiple users are logging in at the same time. Each session should have a unique ID so I know what messages go together. That may be the source IP. Give every important piece of information a name and be consistant. Important information are things like Source IP, Destination IP, username, protocol or port. some sugestions are Src_IP=33.44.55.66, Dest_IP=11.22.33.44, Username=xxxxxx, Port=22, rule="a rule", message="an error message". If you use the tag with the equal sign, and wrap messages in quotes, logging programs like splunk can catalog them eaisly and allow searching and graphing. Also add the source ip to messages like "authentication failed" so I know whether or not the user is comming from the IP I have recorded as valid.
I ultimatly want to know who is knocking on my door, how often, how loud, and whether they come back. I want to know if a user is having problems or not. You do not need to provide those items in your software if the logs are good enough for me to extract the information.

BTW I am enjoying the server. It is working well. Users are getting what they need done. Also I have implemented the whitelist on the firewall, so , I am no longer getting multiple auto-bans per day.

Brian