Skip to main content



  • Dana Anderson
    Product Support

    Hi Aftab. 

    Thanks for the suggestion. 

    While it may seem like a good idea to automatically ban IP addresses that are associated with unknown usernames to prevent any potential misuse, there are a few reasons that come to mind why this approach might not be practical or effective:

    Automatically banning IP addresses based solely on unknown usernames can lead to false positives. Legitimate users who are new or have recently changed their usernames might unintentionally get banned, leading to frustration and a poor user experience. 

    I think banning IPs based on unknown usernames would lead to unexpected consequences. 

    The current IP controls work really well against unauthorized authentication attempts. Maybe there is something we could configure there? 

    Could you tell us more about the problem that you are attempting to solve by banning unknown usernames?


  • Aftab Ahmed


    For reasons out of my control, I need to keep this sftp instance open to the world.
    We have only a limited number of accounts that have access to the service

    My local IS team like to ask us to block IPs that attempt brute force logins

    So I have things set to ban IPs forever after 3 failed attempts, which to them is not good enough.  

    I periodically search the logs, extract the usernames that are being attempted and add them to the list.
    I want to be able to automate this or just block all usernames that are not allowed.


    Hope this makes sense.


  • Robert Gneist

    hi aftab, hi dana!

    i can relate to the initial request, but i have to agree that just blocking an ip on the first wrong username is probably bringing up high false-positive blocks...

    but, i think it should be easy to implement to allow the admin to set a threshold for failed username attempts
    that way aftab could solve his issue, and the rest of us could also use this feature to reduce the success of 'harvest attacks' by for example setting the threshold to 3, like with failed passwords....

    that would be my input to this feature request :)

  • Connor Woolfolk
    Community Manager

    Hello Robert and Aftab,

    Thanks so much for both of your explanations and insight into this request. I do believe this should be what we need to get this to our Product team for them to scope out and evaluate. I'll make sure this gets over to them. If we end up needing anything else information wise, we'll be sure to reach out through this thread. Thanks again for taking the time out of your day to offer ways to improve Cerberus for everyone!

  • Steve Hoyer

    I can't automatically block an unrecognized user name as I have seen on more than one occasion, even in the last month, users who remember their user name incorrectly, or type their password into the user name field. 

    My solution: I import the daily logs into a sql table then I can email myself a daily report of any attempts rejected where EventDetails LIKE '%Unable to find user%'.

    Still requires manually adding them to the auto block list when they happen, but it simplifies identifying them.

    If we could have the log files automatically saving into the same database as the audit information, that'd be a bonus and simplification of my process, but what I have works.

  • Connor Woolfolk
    Community Manager

    Thanks for your feedback Steve! I will make sure this makes it to our product team as a part of this enhancement request.


Please sign in to leave a comment.