Page 1 of 1

Login Flood Control

Posted: Tue Aug 09, 2011 8:34 am
by Peter
Hi there

I would like to make a suggestion.

Our daily logs are full of login attempts which we assume are by malicious users - for example:

Code: Select all

[02] Tue, 09 Aug 2011 01:21:39 (0000278) Closed session,disconnected from 217.42.161.5
[02] Tue, 09 Aug 2011 01:26:15 (0000279) Closed session,disconnected from 217.42.161.5
[02] Tue, 09 Aug 2011 03:40:22 (0000280) Connected from 218.29.115.152 (local address 84.12.188.229, port 22)
[01] Tue, 09 Aug 2011 03:40:24 (0000280) SSH session receive user name:root
[01] Tue, 09 Aug 2011 03:40:24 (0000280) SSH session receive password of user root
[01] Tue, 09 Aug 2011 03:40:24 (0000280) Username and password unmatched, the authentication will start again later.
[02] Tue, 09 Aug 2011 03:40:25 (0000280) Closed session,disconnected from 218.29.115.152. The reason is:Unable to complete handshake.
[02] Tue, 09 Aug 2011 03:40:25 (0000281) Connected from 218.29.115.152 (local address 84.12.188.229, port 22)
[01] Tue, 09 Aug 2011 03:40:28 (0000281) SSH session receive user name:root
[01] Tue, 09 Aug 2011 03:40:28 (0000281) SSH session receive password of user root
[01] Tue, 09 Aug 2011 03:40:28 (0000281) Username and password unmatched, the authentication will start again later.
[02] Tue, 09 Aug 2011 03:40:28 (0000281) Closed session,disconnected from 218.29.115.152. The reason is:Unable to complete handshake.
[02] Tue, 09 Aug 2011 03:40:28 (0000282) Connected from 218.29.115.152 (local address 84.12.188.229, port 22)
[01] Tue, 09 Aug 2011 03:40:31 (0000282) SSH session receive user name:root
[01] Tue, 09 Aug 2011 03:40:31 (0000282) SSH session receive password of user root
[01] Tue, 09 Aug 2011 03:40:31 (0000282) Username and password unmatched, the authentication will start again later.
There are literally hundreds of attempts each day and none of them are using usernames we have created so we are certain these are just bots trying to gain access to our FTP system.

Is there any chance you could add some sort of flood control to the software, so we can set a number of incorrect logins from a single IP before they get put on a temporary ban list? Perhaps if someone enters incorrect login details 5 times they receive a message in their FTP program saying they've been temporarily banned, and if they're accessing via the web interface then they see a similar message.

It would be good to have options that the administrator can set - for example I'd like to add the IP address to a permanent ban list instead of a temporary one, but I think other people might like to have it set to temporary instead, as well as be able to set the number of incorrect logins before the ban occurs.

A feature like this would certainly stop us getting anywhere near as many attempts to log in to our system and should also cut down on a bit of network traffic, even if it is just a small amount.

Thank you :)

Re: Login Flood Control

Posted: Tue Aug 09, 2011 8:36 am
by Peter
Just an additional note - we have tried blocking the IP addresses one by one as well, however each new wave of login attempts comes from a different IP address and the bots never seem to use the same IP address twice, so blocking them manually is useless unfortunately.

Re: Login Flood Control

Posted: Tue Aug 09, 2011 11:12 am
by FTP
Yes, Wing FTP Server has such feature. You just need to enable Anti-hammer under "Domain > Settings > General Settings > Miscellaneous". You can also check out this document:
http://www.wftpserver.com/help/ftpserve ... aneous.htm" rel="nofollow