Separate Temporary IP Block List for DoS and Bad Password Protection in Clustered Environments
Summary
Introduce a dedicated, cluster-aware temporary IP block list for automatic blocks generated by DoS Protection and Bad Password Protection, separate from the static Firewall Rules table.
Current Behavior
In a clustered Cerberus FTP Server deployment with active-active nodes, temporary IP blocks generated by:
- DoS Protection
- Bad Password Protection
are stored in the standard Firewall table.
Firewall configuration is synchronized between cluster nodes, with synchronization data from the master node overwriting the configuration on slave nodes.
Problem
In an active-active two-node setup, each node independently detects malicious or abusive client behavior.
Example:
- A client repeatedly fails authentication against Node B (slave).
- Node B correctly creates a temporary block entry.
- During the next cluster synchronization cycle, the Firewall table is overwritten from Node A (master).
- The temporary block created on Node B is removed.
- The client may continue attacking through Node B until the protection is re-triggered.
As a result:
- Temporary security actions are not consistently preserved.
- Protection effectiveness depends on which node detected the event.
- Active-active deployments receive reduced security benefits from automatic protection mechanisms.
Proposed Solution
Create a dedicated temporary block repository that is separate from the existing Firewall configuration.
Characteristics
- Temporary blocks generated by DoS Protection and Bad Password Protection should not be stored in the Firewall configuration table.
- Each cluster node should be able to add entries independently.
- Temporary blocks should be replicated or merged across nodes rather than overwritten.
- Entries should automatically expire according to the configured protection timeout.
- Synchronization should perform a union/merge operation instead of a complete replacement.
-
Hello Einars,
Thanks so much for the detailed breakdown of this enhancement. I believe this covers everything we need to know, so I will get this wrapped up and sent over to our engineering team for review.
0
Please sign in to leave a comment.
Comments
1 comment