Ban IP on "administrator" login attempt

Post here if you have some suggestions or you want to request a new feature.
Post Reply
HiVolt
Posts: 9
Joined: Sat Mar 10, 2012 11:17 pm

Ban IP on "administrator" login attempt

Post by HiVolt »

I have a lot of random IP's hammering my FTP site with the username "administrator" and trying various logins.

Of course I don't have such a username. The anti hammer feature only bans the IP temporarily, not permanently.

Is there a way to permanently ban an IP on the first "administrator" user login attempt?

Thanks.
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Ban IP on "administrator" login attempt

Post by FTP »

OK, you just need to add the following scripts into the Event "OnExceedUSERPASS":

Code: Select all

local tabIPMask = c_GetIPMaskList("%Domain")
table.insert(tabIPMask,{"%IP",true})

local tabIPMask_new = {}
for _,IPMask in pairs(tabIPMask) do
      for k,v in pairs(IPMask) do
           if type(v) == "boolean" then
             if v == true then
               IPMask[k] = 1
             else
               IPMask[k] = 0
             end
           end
      end
      table.insert(tabIPMask_new,IPMask)
end

c_SetIPMaskList("%Domain",tabIPMask_new)
HiVolt
Posts: 9
Joined: Sat Mar 10, 2012 11:17 pm

Re: Ban IP on "administrator" login attempt

Post by HiVolt »

Thanks... But this is on any user attempt, correct? I'm only looking to do this only for a login attempt by a non existent user "administrator", and ban it right away.
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Ban IP on "administrator" login attempt

Post by FTP »

You can't get the user name at that time, because he is not logged in.

I suggest you increase the number of failed login tries. Then random IP's hammering can be judged.
DomDis
Posts: 33
Joined: Sat Mar 18, 2023 7:44 pm

Re: Ban IP on "administrator" login attempt

Post by DomDis »

FTP wrote: Tue Jun 12, 2012 3:48 pm You can't get the user name at that time, because he is not logged in.

I suggest you increase the number of failed login tries. Then random IP's hammering can be judged.
This must be old because my script emails me the info
Email from SSH event OnExceedUSERPASS wrote:xyzFTP (180.101.88.235) SSH Security WARNING Event: root has performed a OnExceedUSERPASS event
NO
NoReply <NoReply@xyzFTP.xyz.COM>
6/23/2023 8:51 PM
To: Domenic.disorbo@xyz.com <Domenic.disorbo@xyz.com>
Dear Domenic.disorbo@xyz.com

The FTP user > root < from the following IP 180.101.88.235 has just produced an SSH Security WARNING Event: OnExceedUSERPASS (Fri, Jun 23, 2023 08:51 PM). Banning access for this IP
Here's the Code BUT be warned that I don't think the ban ip section of code (that I got from another post) works! The Green Part Woks the RED does not (or if it's actually populating the tables the server ignores it (maybe indexing)).

-- [1] [2] [3] [4] [5] [6]
-- c_SendMail(string strTo,string strSubject,string strPlainText,string strAttach,string strSmtpName,bool bHTML)
-- Parameters
-- [1]string the receiver's email addresses, multiple email addresses can be separated by a comma
-- [2]string mail subject
-- [3]string mail content
-- [4]string attach file path
-- [5]string the smtp configuration name
-- [6]bool mail content is HTML?, true=yes, false=no.
-- Return Values
-- [1]bool return true if email is sent successfully, otherwise return false
--
-- To Write to the Admin Log
-- c_AddAdminLog("Starting " .. event_type .. " " .. event_action .. " OnFileDownLoad",1)

local user = c_GetUser("%Domain","%Name")
-- Original but I want to notify emails addrs in the user.note_memo - local user_email = user.note_email
-- Variable not available if user does authenticate -- local user_memo = user.note_memo
local event_type = "SSH Security WARNING Event:"
local event_action = "OnExceedUSERPASS"

--if user_memo == nil or user_memo == "" then
local user_memo = "Domenic.disorbo@xyz.com"
--end

-- No send this to the FTP administrator
-- local mSendTo = user_memo
local mSendTo = "Domenic.disorbo@xyz.com"
local mSalutation = user_memo.gsub(user_memo,",", ", ")
local mDate = os.date("%a, %b %d, %Y %I:%M %p")
local mSubject = "xyzFTP (%IP) ".. event_type .. " %Name has performed a " .. event_action .. " event"
local mBody ="Dear " .. mSalutation .. "\n\n The FTP user > %Name < from the following IP %IP has just produced an " .. event_type .. " " .. event_action.. " (" .. mDate .. "). Banning access for this IP"
local mSMTP = "Big Mountain Mail"


if mSendTo ~= nil and MSendTo ~= "" then
c_SendMail(mSendTo, mSubject, mBody, "", mSMTP)
-- To Write to the Admin Log
-- c_AddAdminLog(" Notifying " .. mSendTo .. " of " .. event_type .. " " .. event_action, 1)
end

--Ban the IP

--local ipmasks = c_GetGlobalIPMaskList()
-- handle the domain level rules
local ipmasks = c_GetIPMaskList("DomainName")
local g_ipmasks = {}
if type(ipmasks) == "table" then
for _,ipmask in pairs(ipmasks) do
local temp = {}
table.insert(temp,ipmask.ip)
table.insert(temp,ipmask.refuse)
table.insert(temp,ipmask.comment)
table.insert(g_ipmasks,temp)
end
end
table.insert(g_ipmasks,{"%IP",true})
--c_SetGlobalIPMaskList(g_ipmasks)
--handle the domain level rules
c_SetIPMaskList("DomainName", ipmasks)

Post Reply