Automatic Threat Blocking
Included in Firewall Controls is the ability to configure an auto-blocking policy for the FTP server. Administrators can use the auto-blocking policy to help prevent DoS (Denial of Service) and brute force password guessing. If the auto-blocking policy is enabled, a user that continually fails to log into the server will be blocked from trying after a certain number of failed attempts. The number of failed attempts and the length of time the IP address will be blocked from attempting to log in can be configured from the “Auto-Blocking” page.
When Auto-Blocking is enabled a failed attempt is logged whenever a user enters an incorrect password or tries to log in with an invalid username. If DoS Protection is selected then any attempt to connect to the server will be counted towards auto-blocking, even if the connection doesn’t attempt to authenticate. This can help prevent DoS attacks that try to tie up connections and overwhelm the server. DoS Protection can also be useful for services continuously probing the server with garbage data and attempting to find security vulnerabilities. However, a successful login from an IP address resets the “Failed login attempts” counter to zero for the IP address.
The number of failed login attempts can be configured from the Pre-Blocked Settings frame. The Time before login counter reset edit control can be used to set the amount of time that must elapse before the Failed login attempt counter is reset.
The length of time an address is blocked can be configured using the Auto-Block Timeout setting. Select the Forever radio button to block a flagged IP address indefinitely, or select the “Block for X minutes” radio button to set the length of time the address is blocked. Once an address is blocked, the timeout period must elapse before the address is allowed to log in again.
Immediately Ban these Users
Certain usernames are often tried by automated bots. You can configure Cerberus to automatically block the IP of any connection that attempts to log in using one of these banned usernames. To add multiple usernames, separate each name by a comma.
Differences in Auto-blocking between Deny mode and Allow mode
How auto-blocking works differs depending upon whether the IP manager is functioning in Deny or Allow mode. If the IP manager is functioning as a Deny List (denying addresses listed in the IP manager), then whenever a connection exceeds the failed login attempt threshold, that connection’s IP address is added to the deny list.
Auto-blocking works differently for Allow mode (allowing only addresses listed to log in to the server). In Allow mode, whenever a failed login attempt exceeds the failed login threshold, the IP address is either removed from the IP manager’s list of allowed IP addresses (if auto-blocking is set to block failed logins forever) or blocked for the Auto-Block Timeout period. The exception is if the IP address is part of a range of IP addresses. If an IP address is part of a range of allowed IP addresses, that range is not deleted.
Never Block This IP
Never Block This IP is a toggle that you can turn on and off when adding a new IP or IP range to the IP Manager, it appears at the bottom of the window under the Note section.
If the Auto Blocker is not being used, the 'Never Block This IP' toggle option does not have any effect, regardless if it is enabled or disabled on any specific IP address.
If the Auto Blocker is being used, 'Never Block This IP' being enabled, will make a specified IP address immune to auto-blocking rules. This is handy if you have a VIP or important IP address that you do not want to be blocked, even by the rules set in place by the auto-blocker feature.