The “Auto-Blocking” page
The other use for the IP manager is the ability to configure an auto-blocking policy for the FTP server. Administrators can use the auto-blocking policy to help prevent DoS (Denial of Service) and brute force password guessing. If the auto-blocking policy is enabled, a user that continually fails to log into the server will be blocked from trying after a certain number of failed attempts. The number of failed attempts and the length of time the IP address will be blocked from attempting to log in can be configured from the “Auto-Blocking” page.
When Enable Auto-Blocking is enabled a failed attempt is logged whenever a user enters an incorrect password or tries to login with an invalid username. If Enable DoS Protection is selected then any attempt to connect to the server will be counted towards auto-blocking, even if the connection doesn’t attempt to authenticate. This can help prevent DoS attacks that try to tie up connections and overwhelm the server. DoS Protection can also be useful for services continuously probing the server with garbage data attempting to find security vulnerabilities. However, a successful login from an IP address resets the “Failed login attempts” counter to zero for the IP address.
The number of failed login attempts can be configured from the Pre-Blocked Settings frame. The Time before login counter reset edit control can be used to set the amount of time that must elapse before the Failed login attempt counter is reset.
The length of time an address is blocked can be configured using the Auto-Block Timeout setting. Select the Forever radio button to block a flagged IP address indefinitely, or select the “Block for X minutes” radio button to set the length of time the address is blocked. Once an address is blocked, the timeout period must elapse before the address is allowed to log in again.
IP addresses that have recently failed logins, but have not yet exceeded the Failed login attempt threshold, are displayed in the IP Addresses being “watched” list view. You can freely delete an address from the list view. Deleting the address has the effect of resetting the Failed Login attempt counter for that address to zero.
Immediately Ban these Users
Certain usernames are often tried by automated bots. You can configure Cerberus to automatically block the IP of any connection that attempts to log in using one of these banned usernames.
Differences in Auto-blocking between Blacklist mode and Whitelist mode
How auto-blocking works differs depending upon whether the IP manager is functioning in Blacklist or Whitelist mode. If the IP manager is functioning as a Blacklist (denying addresses listed in the IP manager), then whenever a connection exceeds the failed login attempt threshold, that connection’s IP address is added to the deny list.
Auto-blocking works differently for Whitelist mode (allowing only addresses listed to login to the server). In Whitelist mode, whenever a failed login attempt exceeds the failed login threshold, the IP address is either removed from the IP manager’s list of allowed IP addresses (if auto-blocking is set to block failed logins forever) or blocked for the Auto-Block Timeout period. The exception is if the IP address is part of a range of IP addresses. If an IP address is part of a range of allowed IP addresses, that range is not deleted.