Page 1 of 1

Ban IP on "administrator" login attempt

Posted: Mon Jun 11, 2012 1:30 pm
by HiVolt
I have a lot of random IP's hammering my FTP site with the username "administrator" and trying various logins.

Of course I don't have such a username. The anti hammer feature only bans the IP temporarily, not permanently.

Is there a way to permanently ban an IP on the first "administrator" user login attempt?

Thanks.

Re: Ban IP on "administrator" login attempt

Posted: Tue Jun 12, 2012 2:54 am
by FTP
OK, you just need to add the following scripts into the Event "OnExceedUSERPASS":

Code: Select all

local tabIPMask = c_GetIPMaskList("%Domain")
table.insert(tabIPMask,{"%IP",true})

local tabIPMask_new = {}
for _,IPMask in pairs(tabIPMask) do
      for k,v in pairs(IPMask) do
           if type(v) == "boolean" then
             if v == true then
               IPMask[k] = 1
             else
               IPMask[k] = 0
             end
           end
      end
      table.insert(tabIPMask_new,IPMask)
end

c_SetIPMaskList("%Domain",tabIPMask_new)

Re: Ban IP on "administrator" login attempt

Posted: Tue Jun 12, 2012 1:43 pm
by HiVolt
Thanks... But this is on any user attempt, correct? I'm only looking to do this only for a login attempt by a non existent user "administrator", and ban it right away.

Re: Ban IP on "administrator" login attempt

Posted: Tue Jun 12, 2012 3:48 pm
by FTP
You can't get the user name at that time, because he is not logged in.

I suggest you increase the number of failed login tries. Then random IP's hammering can be judged.

Re: Ban IP on "administrator" login attempt

Posted: Sat Jun 24, 2023 1:28 am
by DomDis
FTP wrote: Tue Jun 12, 2012 3:48 pm You can't get the user name at that time, because he is not logged in.

I suggest you increase the number of failed login tries. Then random IP's hammering can be judged.
This must be old because my script emails me the info
Email from SSH event OnExceedUSERPASS wrote:xyzFTP (180.101.88.235) SSH Security WARNING Event: root has performed a OnExceedUSERPASS event
NO
NoReply <NoReply@xyzFTP.xyz.COM>
6/23/2023 8:51 PM
To: Domenic.disorbo@xyz.com <Domenic.disorbo@xyz.com>
Dear Domenic.disorbo@xyz.com

The FTP user > root < from the following IP 180.101.88.235 has just produced an SSH Security WARNING Event: OnExceedUSERPASS (Fri, Jun 23, 2023 08:51 PM). Banning access for this IP
Here's the Code BUT be warned that I don't think the ban ip section of code (that I got from another post) works! The Green Part Woks the RED does not (or if it's actually populating the tables the server ignores it (maybe indexing)).

-- [1] [2] [3] [4] [5] [6]
-- c_SendMail(string strTo,string strSubject,string strPlainText,string strAttach,string strSmtpName,bool bHTML)
-- Parameters
-- [1]string the receiver's email addresses, multiple email addresses can be separated by a comma
-- [2]string mail subject
-- [3]string mail content
-- [4]string attach file path
-- [5]string the smtp configuration name
-- [6]bool mail content is HTML?, true=yes, false=no.
-- Return Values
-- [1]bool return true if email is sent successfully, otherwise return false
--
-- To Write to the Admin Log
-- c_AddAdminLog("Starting " .. event_type .. " " .. event_action .. " OnFileDownLoad",1)

local user = c_GetUser("%Domain","%Name")
-- Original but I want to notify emails addrs in the user.note_memo - local user_email = user.note_email
-- Variable not available if user does authenticate -- local user_memo = user.note_memo
local event_type = "SSH Security WARNING Event:"
local event_action = "OnExceedUSERPASS"

--if user_memo == nil or user_memo == "" then
local user_memo = "Domenic.disorbo@xyz.com"
--end

-- No send this to the FTP administrator
-- local mSendTo = user_memo
local mSendTo = "Domenic.disorbo@xyz.com"
local mSalutation = user_memo.gsub(user_memo,",", ", ")
local mDate = os.date("%a, %b %d, %Y %I:%M %p")
local mSubject = "xyzFTP (%IP) ".. event_type .. " %Name has performed a " .. event_action .. " event"
local mBody ="Dear " .. mSalutation .. "\n\n The FTP user > %Name < from the following IP %IP has just produced an " .. event_type .. " " .. event_action.. " (" .. mDate .. "). Banning access for this IP"
local mSMTP = "Big Mountain Mail"


if mSendTo ~= nil and MSendTo ~= "" then
c_SendMail(mSendTo, mSubject, mBody, "", mSMTP)
-- To Write to the Admin Log
-- c_AddAdminLog(" Notifying " .. mSendTo .. " of " .. event_type .. " " .. event_action, 1)
end

--Ban the IP

--local ipmasks = c_GetGlobalIPMaskList()
-- handle the domain level rules
local ipmasks = c_GetIPMaskList("DomainName")
local g_ipmasks = {}
if type(ipmasks) == "table" then
for _,ipmask in pairs(ipmasks) do
local temp = {}
table.insert(temp,ipmask.ip)
table.insert(temp,ipmask.refuse)
table.insert(temp,ipmask.comment)
table.insert(g_ipmasks,temp)
end
end
table.insert(g_ipmasks,{"%IP",true})
--c_SetGlobalIPMaskList(g_ipmasks)
--handle the domain level rules
c_SetIPMaskList("DomainName", ipmasks)