I have a lot of random IP's hammering my FTP site with the username "administrator" and trying various logins.
Of course I don't have such a username. The anti hammer feature only bans the IP temporarily, not permanently.
Is there a way to permanently ban an IP on the first "administrator" user login attempt?
Thanks.
Ban IP on "administrator" login attempt
-
- Site Admin
- Posts: 2090
- Joined: Tue Sep 29, 2009 6:09 am
Re: Ban IP on "administrator" login attempt
OK, you just need to add the following scripts into the Event "OnExceedUSERPASS":
Code: Select all
local tabIPMask = c_GetIPMaskList("%Domain")
table.insert(tabIPMask,{"%IP",true})
local tabIPMask_new = {}
for _,IPMask in pairs(tabIPMask) do
for k,v in pairs(IPMask) do
if type(v) == "boolean" then
if v == true then
IPMask[k] = 1
else
IPMask[k] = 0
end
end
end
table.insert(tabIPMask_new,IPMask)
end
c_SetIPMaskList("%Domain",tabIPMask_new)
-
- Posts: 9
- Joined: Sat Mar 10, 2012 11:17 pm
Re: Ban IP on "administrator" login attempt
Thanks... But this is on any user attempt, correct? I'm only looking to do this only for a login attempt by a non existent user "administrator", and ban it right away.
-
- Site Admin
- Posts: 2090
- Joined: Tue Sep 29, 2009 6:09 am
Re: Ban IP on "administrator" login attempt
You can't get the user name at that time, because he is not logged in.
I suggest you increase the number of failed login tries. Then random IP's hammering can be judged.
I suggest you increase the number of failed login tries. Then random IP's hammering can be judged.
-
- Posts: 32
- Joined: Sat Mar 18, 2023 7:44 pm
Re: Ban IP on "administrator" login attempt
This must be old because my script emails me the info
Here's the Code BUT be warned that I don't think the ban ip section of code (that I got from another post) works! The Green Part Woks the RED does not (or if it's actually populating the tables the server ignores it (maybe indexing)).Email from SSH event OnExceedUSERPASS wrote:xyzFTP (180.101.88.235) SSH Security WARNING Event: root has performed a OnExceedUSERPASS event
NO
NoReply <NoReply@xyzFTP.xyz.COM>
6/23/2023 8:51 PM
To: Domenic.disorbo@xyz.com <Domenic.disorbo@xyz.com>
Dear Domenic.disorbo@xyz.com
The FTP user > root < from the following IP 180.101.88.235 has just produced an SSH Security WARNING Event: OnExceedUSERPASS (Fri, Jun 23, 2023 08:51 PM). Banning access for this IP
-- [1] [2] [3] [4] [5] [6]
-- c_SendMail(string strTo,string strSubject,string strPlainText,string strAttach,string strSmtpName,bool bHTML)
-- Parameters
-- [1]string the receiver's email addresses, multiple email addresses can be separated by a comma
-- [2]string mail subject
-- [3]string mail content
-- [4]string attach file path
-- [5]string the smtp configuration name
-- [6]bool mail content is HTML?, true=yes, false=no.
-- Return Values
-- [1]bool return true if email is sent successfully, otherwise return false
--
-- To Write to the Admin Log
-- c_AddAdminLog("Starting " .. event_type .. " " .. event_action .. " OnFileDownLoad",1)
local user = c_GetUser("%Domain","%Name")
-- Original but I want to notify emails addrs in the user.note_memo - local user_email = user.note_email
-- Variable not available if user does authenticate -- local user_memo = user.note_memo
local event_type = "SSH Security WARNING Event:"
local event_action = "OnExceedUSERPASS"
--if user_memo == nil or user_memo == "" then
local user_memo = "Domenic.disorbo@xyz.com"
--end
-- No send this to the FTP administrator
-- local mSendTo = user_memo
local mSendTo = "Domenic.disorbo@xyz.com"
local mSalutation = user_memo.gsub(user_memo,",", ", ")
local mDate = os.date("%a, %b %d, %Y %I:%M %p")
local mSubject = "xyzFTP (%IP) ".. event_type .. " %Name has performed a " .. event_action .. " event"
local mBody ="Dear " .. mSalutation .. "\n\n The FTP user > %Name < from the following IP %IP has just produced an " .. event_type .. " " .. event_action.. " (" .. mDate .. "). Banning access for this IP"
local mSMTP = "Big Mountain Mail"
if mSendTo ~= nil and MSendTo ~= "" then
c_SendMail(mSendTo, mSubject, mBody, "", mSMTP)
-- To Write to the Admin Log
-- c_AddAdminLog(" Notifying " .. mSendTo .. " of " .. event_type .. " " .. event_action, 1)
end
--Ban the IP
--local ipmasks = c_GetGlobalIPMaskList()
-- handle the domain level rules
local ipmasks = c_GetIPMaskList("DomainName")
local g_ipmasks = {}
if type(ipmasks) == "table" then
for _,ipmask in pairs(ipmasks) do
local temp = {}
table.insert(temp,ipmask.ip)
table.insert(temp,ipmask.refuse)
table.insert(temp,ipmask.comment)
table.insert(g_ipmasks,temp)
end
end
table.insert(g_ipmasks,{"%IP",true})
--c_SetGlobalIPMaskList(g_ipmasks)
--handle the domain level rules
c_SetIPMaskList("DomainName", ipmasks)