Forum Discussion

Jose_Santiago_O's avatar
Jose_Santiago_O
Icon for Nimbostratus rankNimbostratus
May 15, 2008

Prevent ftp brute force attack using irules.

Hi,     Does anyone know how to prevent ftp brute force attacks using irules? I have an ftp server and everyday i see a lot of connections comming from different countries trying to get acc...
application delivery
dev
devops
iRules
Jose_Santiago_O's avatar
Jose_Santiago_O
Icon for Nimbostratus rankNimbostratus
May 20, 2008
Hi,

I have configured this rule so far, but I think I am missing something here, because I am not collecting the initial connection (ftp 1.1.1.1 or ftp.mycompany.com), I am logging the payload and the initial connection is not being logged, the only I am collecting is USER domain\user, and since this doesn't match "mycompany" the connection is rejected. Do you have any ideas? 

 
 when CLIENT_ACCEPTED {   
 TCP::collect   
 TCP::release 
 } 
  
 when CLIENT_DATA { 
  
 log local0. "payload: [TCP::payload]"  
 set client_data [string tolower [string trim [TCP::payload]]] 
  
 if { $client_data contains "mycompany" } { 
 pool pool_ftp 
 } else { 
 log local0. "Rejected"  
 reject 
 } 
 TCP::release   
 }}