FTP Connections

Question

We have a pool for ftp servers.  Recently our Infosec department has been making me block specific IPs because of multiple failed logins (even though it's pointless to do so).  Our FTP server has the option of blocking IP addresses for a certain amount of time based on x number of failed logins over x seconds, but with the BigIP, all traffic is showing as the internal address, so that's not an option, unless I turn off the SNATing, which is also not an option.  Unless there is a way to do that for just one pool.  My current solution is to use a rule to discard connections from the whole IP range of the offender (as in 202.x.x.x) since they are all coming from APNIC and RIPE, neither of which would be legit traffic.  This is an admin headache, since I get requests from Infosec every few hours with new IPs to block, and also pointless, like I said, because these script kiddies are hammering logins that don't even exist, and usually give up by the time I can add them to the list. &nbsp;
&nbsp;Is there a way to setup a rule to block specific IPs based on any of the following:
&nbsp;a) number of concurrent or conesecutive connections over time from a given IP
&nbsp;b) number of failed FTP logins (can the BigIP even see that???)&nbsp;
&nbsp;Or, 
&nbsp;c) to show the FTP server the actual IP address so it does not block all traffic when they hit us&nbsp;
&nbsp;Any other suggestions for how to handle this, or is my bandaid the only solution?

martin_machacek · Answer

Matt,
there is no way how to achieve adaptive blocking that you need using iRules on v4.x(assuming that you are running BIG-IP version 4.x since you've posted to this forum). However, you can disable SNAT on per pool basis using thesnat disable
pool config parameter.

matt_fletcher_1 · Answer

That's it?  Simple.  Thanks!  &nbsp;
&nbsp;Just out of curiosity, is this possible in 9.x?  I've been trying to convince those above me that we should upgrade to a new unit.

martin_machacek · Answer

Yes, it is. Exactly the same syntax is supported in v9.x. In v9 you may be even able to implement the dynamic blocking using some creative iRule programming. You should also take a look at iControl. It may allow you to let the server dynamically add (and remove) blocked IP addresses to iRule class based on frequency of login failures. This is however all off-topic for this forum.

matt_fletcher_1 · Answer

One more question.  Is it possible to capture the username and filter on that in a rule?  These attacks use 'administrator' 90% of the time.

Forum Discussion

FTP Connections

Recent Discussions

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Need Urgent BIGIP Trial License and VM Image

APM for banner and cert

How to Renew F5 Device Certificate

UCS backup not loading Big IP DNS pool

Related Content

How to run an FTP server on Kubernetes with F5 BIG-IP

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

FTP Session Logging

FTPS Offload via iRules

Securely connecting Kubernetes Microservices with F5 Distributed Cloud

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS