Autoblock with timers.

Jotne · September 9, 2018, 4:52pm

I am trying to block brute force attack to my FTP and I am not able to get it working.

Example on RDP
First time you tries to login on FTP, you are allowed to go to login page, but you IP is stored in access liste 1_level_rdp for 10 minutes
Second time log in, and since it is within 10 minutes of previous attempt, you are in access liste 1_level_rdp, this time you are moved to access list 2_level_rdp for 10 min.
Third time login. If its within 10 minutes of last login, you are in access list 2_level_rdp and this time your IP is saved in block_rdp for 1 day.
At the top of rules I have a rules that block all that are in block_rdp

This works fine for RDP since when I connect my self, it will stay connected for all the time (1 session)
But for FTP, if if you are connected, it times out and you reconnect many times, so I block my self out using the RDP solution.

What I would like is for the IP to be stored in an access liste for one hour. Then if there are new attempt within 1 hour, do not do nothing.
But if there are new connection in hour 2, go up one level (same as RDP). And then again same for 3 hour, put to block list. So do not count number of its, but number of hours.

RDP example

add action=drop chain=forward comment="Drop RDP brute forcers" dst-port=8080 log=yes log-prefix=\
    FW_Block_Bruteforce_RDP protocol=tcp src-address-list=block_rdp
add action=add-src-to-address-list address-list=block_rdp address-list-timeout=1d chain=forward \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=2_level_rdp
add action=add-src-to-address-list address-list=2_level_rdp address-list-timeout=10m chain=forward \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=1_level_rdp
add action=add-src-to-address-list address-list=1_level_rdp address-list-timeout=10m chain=forward \
    connection-state=new dst-port=3389 protocol=tcp

Sob · September 9, 2018, 5:42pm

So in other words, you want to allow bruteforcers to do as they please for two hours and only then block them? Better than indefinitely, but still…

What about fixing the timeouts instead? If they come from server and if it’s your server, it’s probably configurable. And clients, at least some of them, can periodically send some keepalive command to prevent disconnection by impatient firewalls.

In any case, such blocking based only on connections, where you can’t tell if the login was successful or not, is not good. It would be better if the server itself could blacklist bruteforcers, but I’m not sure how common such option is.

Jotne · September 9, 2018, 6:19pm

Thanks for your reply.
When I did look at firewall logs using Splunk, I did see that some clients has tried for 3-4 month to enter my RDP with various password.
No with the block rules thy are more or less gone, so yes simple rule do help

Sob · September 9, 2018, 6:58pm

Sure, they do help, they block connections. The problem is, they can also very easily block you. A reliable system would know that some connection was successful login attempt and would not count it. But on firewall level, there’s no way how to know that (well, for plaintext FTP there is, but no sane person would use that).

But back to your original idea, maybe it could be possible using scripts. Address list entries have a time when they were added, so if you run a script every X minutes, it could go through the first list and add old enough ones to another. And for next level, it would check both previous lists and only add address to final blocklist of it would be in both lists. I admit that I didn’t think it through completely, but it might do what you want.