30.1. IPBAN service

This service can be enabled for TELNET, SSH, SIP, IAX, SMTP, POP3, HTTP, FTP, to prevent brute force attacks by blocking an IP address which persists in authentication failures.

It also permits to send an email to the configured recipient when the limit is reached.

The IPBAN resource puts in the blacklist the source IP address that has generated a number of authentication failures (for example, username and / or password of FTP access).

If an IP fails to authenticate MAX-NRTY times, within FIND-TIME minutes the error condition is reached and if IP not present in WHITE-LIST, then if ACTION:MAIL an email is sent to MAIL-TO and MAIL-TO-LIST , and if ACTION:BAN the IP is banned for BAN-TIME minutes.

A simplest explanation would be: The IPBAN resource puts in the blacklist the source IP address that has generated a number of authentication failures (for example, username and / or password of FTP access). Until the IP address is in the blacklist, it will inhibit access to the considered resource.

Configuring the SMTP resource is needed to send emails.

[Caution]Caution

The IBAN is a service to be configured carefully, if errors are present, may not have access to Abilis!

[Important]Important

The blacklist table is stored in the IPBAN.DAT file in the location defined by the WDIR parameter. This means the list will be maintained even after Abilis restart.

30.1.1. IPBAN service parameters

This service is enabled by default for Abilis.

Use the following command to display the parameters of the service; the command d ipban ? displays the meaning of all parameters.

[11:35:17] ABILIS_CPX:d ipban

max-items:3000
WDIR:C:\APP\IPBAN\

- IPBAN Mail ------------------------------------------------------------------
MAIL-FROM:SYS (abilis@abilis_cpx)
MAIL-TO:SYS ()
MAIL-TO-LIST:SYS (#)
MAIL-BODY:SYS (STANDARD)
MAIL-INTERVAL:3

- IPBAN service defaults ------------------------------------------------------
ACTION:MAIL         MAX-FAIL:10     FIND-TIME:1440     BAN-TIME:10080  
WHITE-LIST:PrivateIpAdd

- IPBAN individual services ---------------------------------------------------
---------+------------+-----------+------------+-----------+-------------------
RES:     | ACTION:    | MAX-FAIL: | FIND-TIME: | BAN-TIME: | WHITE-LIST:
---------+------------+-----------+------------+-----------+-------------------
Ssh      | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
Telnet   | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
CtiSip   | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
CtiIax   | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
CtiVo    | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
Http     | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
Ftp      | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
Smtp     | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
Pop3     | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------

Meaning of the most important parameters:

IP Addresses banning parameter(s):

max-items

Maximal number of simultaneously manageable IP addresses [1000..10000].

WDIR

Directory where IPBAN data file is saved. Full path with drive letter ['C'..'Z'] terminated by '\'. Max 64 chars. Spaces require double quotes (E.g. "C:\My dir\").

MAIL-FROM

E-mail sender [SYS, AUTO, e-mail]:

- SYS: use System General 'SYS-MAIL-FROM';

- AUTO: a fixed value is used (e.g. ipban@<cp-prompt>);

- e-mail: max 128 ASCII characters. Space not allowed.

MAIL-TO

E-mail recipients [SYS, empty, e-mail]:

- SYS: use System General 'SYS-MAIL-TO';

- empty: e-mails are not sent;

- e-mail: max 128 ASCII characters. Space not allowed. Multiple recipients must be separated by ',' (comma).

MAIL-TO-LIST

E-mail recipients list [SYS, #, TXT list name].

- SYS : use System General 'SYS-MAIL-TO-LIST'.

MAIL-BODY

E-mail body type [SYS, STANDARD, SMS-LIKE].

- SYS : use System General 'SYS-MAIL-BODY'.

MAIL-FILTER-INTERVAL

Minimal interval between notification e-mails [NO, 1..65534 min.]

ACTION

Action done when failure limit is reached [NONE: No action has to be executed; BAN: BAN the IP; MAIL: E-mail must be sent.]. Values can be joined using "," operator.

MAX-FAIL

Consecutive failures within FIND-TIME that triggers the ACTION [1..255].

FIND-TIME

Time interval for counting the consecutive failures [1..10080 min.].

BAN-TIME

Duration of the banning [NOMAX, 1..43200 min.].

WHITE-LIST

IP addresses that bypass the IPBAN control [#, IP/IR/RU/MR list name].

IP Addresses banning service(s) parameter(s):

ACTION

Action done when failure limit is reached [DFT: The default configured action; NONE: No action has to be executed; BAN: Ban the IP; MAIL: E-mail must be sent.] Values can be joined using "," operator.

MAX-FAIL

Consecutive failures within FIND-TIME that triggers the ACTION [DFT, 1..255].

FIND-TIME

Time interval for counting the consecutive failures [DFT, 1..10080 min.].

BAN-TIME

Duration of the bannig [DFT, NOMAX, 1..43200 min.].

WHITE-LIST

IP addresses that bypass the IPBAN control [DFT, #, IP/IR/RU/MR list name].

The following command allows the administrator to change the configuration of the resource:

S IPBAN par:val [par:val] Set IP Addresses banning parameters and defaults

S IPBAN RES:val par:val [par:val] Set IP Addresses banning service(s) parameters

[Caution]Caution

To activate the changes made on the upper case parameters, execute the initialization command init ipban

30.1.2. IPBAN BANNED

Use the following command to display the Banned IP

[12:23:44] ABILIS_CPX:d ipban banned

---------+---------------+----------+--------------+--------------+-----------+
         |               | Ban time |Remaining time| Elapsed time |  Queries  |
RES      |       IP      |  (min)   |   (mm:ss)    |   (mm:ss)    |           |
---------+---------------+----------+--------------+--------------+-----------+
Telnet    001.064.231.058      43200       21257:25       21942:41           4
Telnet    005.055.192.209      43200       29994:30       13205:37           3
Ssh       222.184.072.066      43200       33526:29        9673:42           5
Ftp       113.110.170.142      43200       42174:08        1025:52           2
...
---------+---------------+----------+--------------+--------------+-----------+

Banned IP addresses:348

In this example is show IP 222.184.72.66 which is blocked for resource SSH for 43200 minutes.

Meaning of the most important parameters:

Ban time

How long the IP must stay in the banned/alerted state (in min.). Current BAN-TIME parameter value.

Remaining time

How long the IP will still remain in the banned/alerted state (in min.). This value is computed as the difference between BanTime and ElapsedTime.

Elapsed time

Time elapsed since the last queries for this banned/alerted IP has been received (in min.).

Queries

Number of queries done for this once it has been banned/alerted.

[Note]Note

Every query during the BANNED condition restarts the BAN-TIME, in this way if the attacker continue the connection attempts it will remain banned.

[Important]Important

The blacklist table is stored in the IPBAN.DAT file in the location defined by the WDIR parameter. This means the list will be maintained even after Abilis restart.

To erase an IP from the blacklist use the following command:

[12:22:38] ABILIS_CPX:c ipban banned res:ssh ip:222.184.72.66

COMMAND EXECUTED 

[12:22:54] ABILIS_CPX:d ipban banned                             

---------+---------------+----------+--------------+--------------+-----------+
         |               | Ban time |Remaining time| Elapsed time |  Queries  |
RES      |       IP      |  (min)   |   (mm:ss)    |   (mm:ss)    |           |
---------+---------------+----------+--------------+--------------+-----------+
Telnet    001.064.231.058      43200       21257:25       21942:41           4
Telnet    005.055.192.209      43200       29994:30       13205:37           3
Ftp       113.110.170.142      43200       42174:08        1025:52           2
...
---------+---------------+----------+--------------+--------------+-----------+

Banned IP addresses:347

30.1.3. IPBAN FOUND

Use the following command to display currently found IP addresses (non Alerted and also non Banned):

[12:58:38] ABILIS_CPX:d ipban found

---------+---------------+-----------+-------------+--------------+
         |               | Failures  |  Find time  |Remaining time|
RES      |       IP      | (cur/max) |    (min)    |   (mm:ss)    |
---------+---------------+-----------+-------------+--------------+
Ssh       003.092.137.028         1/5          1440        1023:58
Ssh       008.026.094.190         1/5          1440        1260:59
Ssh       014.139.233.194         1/5          1440         976:19
Ssh       018.212.135.179         1/5          1440         341:16
Ssh       027.050.024.083         1/5          1440         852:21
Ssh       031.007.206.108         1/5          1440         505:19
Ssh       035.220.225.212         2/5          1440         587:20
Ssh       035.222.086.085         1/5          1440         669:20
Ssh       035.227.045.006         1/5          1440         649:13
Ssh       036.073.128.176         1/5          1440         811:04
Ssh       037.212.162.168         1/5          1440         901:09
Ssh       040.124.004.131         1/5          1440         547:00
Ssh       041.208.222.165         1/5          1440        1007:34
Ssh       041.226.024.021         2/5          1440         547:00
Ssh       079.036.199.008         2/5          1440        1064:19
Ssh       104.129.012.044         3/5          1440         623:24
...
---------+---------------+-----------+-------------+--------------+

Found IP addresses:113

Meaning of the most important parameters:

Failures

Number of failures done for this IP.

Find time

How long the IP can stay in the found state (in min.). Current FIND-TIME parameter value.

Remaining time

How long the IP will still remain in the found state (in min.). This value is computed as the difference between FindTime and ElapsedTime.

30.1.4. IPBAN ALERTED

It appears when MAIL without BAN action is used. In this situation an IP address that would be suited for ban is instead just alerted and signalled via mail.

Use the following command to display currently alerted IP addresses:

[12:03:56] ABILIS_CPX:d ipban alerted

---------+---------------+----------+--------------+--------------+-----------+
         |               |Alert time|Remaining time| Elapsed time |  Queries  |
RES      |       IP      |   (min)  |   (mm:ss)    |   (mm:ss)    |           |
---------+---------------+----------+--------------+--------------+-----------+
Ssh       005.228.214.241      10080        7966:46        2114:23          24
Ssh       035.242.179.150      10080        6280:44        3805:00         193
Ssh       045.227.255.082      10080        5327:09        8357:29          88
Ssh       046.246.123.046      10080        2508:20        7574:01          74
Ssh       059.046.135.042      10080        6822:08        3272:29         273
Ssh       061.188.189.007      10080        9206:37         883:04         200
Ssh       080.211.114.219      10080        9165:30        1782:19          13
Ssh       090.150.235.169      10080        6016:38        4069:21          93
Ssh       103.253.145.219      10080        6806:33        3275:38          45
Ssh       104.248.019.023      10080        2360:17        7719:58           5
Ssh       119.253.084.102      10080        8303:16        5611:39         592
Ssh       139.198.122.083      10080        7312:18        2767:59           7
Ssh       157.230.131.033      10080        7488:58        2626:58         958
Ssh       157.230.223.250      10080        5168:48        5863:50          29
Ssh       170.080.224.066      10080        3439:11        6643:37          43
Ssh       178.140.135.140      10080        2895:37        7185:32          24
Ssh       179.131.187.109      10080        5705:09        4380:07         111
Ssh       182.079.223.194      10080       10035:05        6882:10         700
Ssh       185.254.120.006      10080        9974:32        8331:38          49
Ssh       187.118.072.252      10080        4706:43        5378:25         105
Ssh       191.125.166.162      10080        9545:52         536:45          52
Ssh       193.032.163.066      10080        8257:23        8382:43         764
Ssh       193.032.163.089      10080        9942:07        1143:50         183
Ssh       193.201.224.218      10080        7188:48        7323:01        1449
Ssh       205.185.114.232      10080        6694:53        3385:16           5
Ssh       223.135.001.041      10080        4128:05        5956:59         111
---------+---------------+----------+--------------+--------------+-----------+

Alerted IP addresses:26

Meaning of the most important parameters:

Alert time

How long the IP must stay in the alerted state (in min.). Current BAN-TIME parameter value.

Remaining time

How long the IP will still remain in the alerted state (in min.). This value is computed as the difference between BanTime and ElapsedTime.

Elapsed time

Time elapsed since the last queries for this alerted IP has been received (in min.).

Queries

Number of queries done for this once it has been alerted.

30.1.5. IPBAN diagnostics and statistics

30.1.5.1. IPBAN diagnostics

This command reports the current situation of the IPBAN resource:

[12:51:21] ABILIS_CPX:d d ipban

-----------+----------+
MAX-ITEMS  |      3000|
CUR-FREE   |      2536|
CUR-USED   |       464|
PEAK-USED  |       464|
OVERFLOW   |         0|
STATE      |    NORMAL|
-----------+----------+

-----------+-----------+-----------+-----------+
RES:       |   FOUND   |  ALERTED  |  BANNED   |
-----------+-----------+-----------+-----------+
Ssh        |        114|          0|        134|
Telnet     |          0|          0|        212|
CtiSip     |          0|          0|          0|
CtiIax     |          0|          0|          0|
CtiVo      |          0|          0|          0|
Http       |          0|          0|          0|
Ftp        |          0|          0|          2|
Smtp       |          0|          0|          0|
Pop3       |          0|          0|          0|
-----------+-----------+-----------+-----------+
TOTAL      |        114|          0|        348|
-----------+-----------+-----------+-----------+

The meaning:

MAX-ITEMS

Current max numbers of IP that can be store in the ban list.

CUR-FREE

Current numbers of free places the ban list.

CUR-USED

Current numbers of used places the ban list.

PEAK-USED

Peak number of used places the ban list.

OVERFLOWS

Number of ban list overflows.

STATE

State of IPBAN database:

  • NORMAL - IPBAN database content is lower them 80% of capacity.

  • WARNING - IPBAN database content reached 80% of capacity.

  • OVERFLOW - IPBAN database is full.

Telnet/Ssh/CtiSip/CtiIax/Smtp/Pop3/Http/Ftp/CtiVo FOUND

Number of entries that hold a found IP for Telnet/Ssh/CtiSip/CtiIax/Smtp/Pop3/Http/Ftp/CtiVo.

Telnet/Ssh/CtiSip/CtiIax/Smtp/Pop3/Http/Ftp/CtiVo ALERTED

Number of entries that hold a alerted IP for Telnet/Ssh/CtiSip/CtiIax/Smtp/Pop3/Http/Ftp/CtiVo.

Telnet/Ssh/CtiSip/CtiIax/Smtp/Pop3/Http/Ftp/CtiVo BANNED

Number of entries that hold a banned IP for Telnet/Ssh/CtiSip/CtiIax/Smtp/Pop3/Http/Ftp/CtiVo.

TOTAL FOUND/ALERTED/BANNED

Total number of entries that hold a found/alerted/banned IP.

30.1.5.2. IPBAN statistics

This command can help to understand what is happening, in case of troubles:

[12:59:56] ABILIS_CPX:d s ipban

--- Cleared 2 days 19:57:37 ago, on 06/04/2019 at 17:19:11 --------------------
-----------+-----------+-----------+-----------+-----------+
RES:       |AUTH-FAIL: |QUERIES:   |MAIL-SUCC: |MAIL-FAIL: |
-----------+-----------+-----------+-----------+-----------+
Ssh        |        280|       2445|          9|          0|
Telnet     |         93|        257|         12|          0|
CtiSip     |          0|      15893|          0|          0|
CtiIax     |          0|          0|          0|          0|
CtiVo      |          0|       2238|          0|          0|
Http       |          0|       6731|          0|          0|
Ftp        |          5|       1401|          0|          0|
Smtp       |          0|          0|          0|          0|
Pop3       |          0|          0|          0|          0|
-----------+-----------+-----------+-----------+-----------+
TOTAL      |        378|      28965|         21|          0|
-----------+-----------+-----------+-----------+-----------+

With reference to the shown interval of time («Cleared 2 days 19:57:37 ago») these counters show the number of:

AUTH-FAILNumber of wrong-password notifications received from Telnet/Ssh/CtiSip/CtiIax/Smtp/Pop3/Http/Ftp/CtiVo.
QUERIESNumber of Telnet/Ssh/CtiSip/CtiIax/Smtp/Pop3/Http/Ftp/CtiVo queries.
MAIL-SUCCNumber of mails sent with success for banned/alerted IPs notification.
MAIL-FAILNumber of mails for banned/alerted IPs notification whose delivery has failed.
TOTALTotal number of AUTH-FAIL, QUERIES, MAIL-SUCC, MAIL-FAIL.