Forum Discussion
Jose_Santiago_O
Nimbostratus
NimbostratusPrevent ftp brute force attack using irules.
Hi,
Does anyone know how to prevent ftp brute force attacks using irules? I have an ftp server and everyday i see a lot of connections comming from different countries trying to get acc...
Jose_Santiago_ONimbostratus
NimbostratusHi,
I have configured this rule so far, but I think I am missing something here, because I am not collecting the initial connection (ftp 1.1.1.1 or ftp.mycompany.com), I am logging the payload and the initial connection is not being logged, the only I am collecting is USER domain\user, and since this doesn't match "mycompany" the connection is rejected. Do you have any ideas?
when CLIENT_ACCEPTED {
TCP::collect
TCP::release
}
when CLIENT_DATA {
log local0. "payload: [TCP::payload]"
set client_data [string tolower [string trim [TCP::payload]]]
if { $client_data contains "mycompany" } {
pool pool_ftp
} else {
log local0. "Rejected"
reject
}
TCP::release
}}
