30.1. IPBAN service

30.1. IPBAN service
	Chapter 30. IPBAN

This service can be enabled for TELNET, SSH, SIP, IAX, SMTP, POP3, HTTP, FTP, to prevent brute force attacks by blocking an IP address which persists in authentication failures.

It also permits to send an email to the configured recipient when the limit is reached.

The IPBAN resource puts in the blacklist the source IP address that has generated a number of authentication failures (for example, username and / or password of FTP access).

If an IP fails to authenticate MAX-NRTY times, within FIND-TIME minutes the error condition is reached and if IP not present in WHITE-LIST, then if ACTION:MAIL an email is sent to MAIL-TO and MAIL-TO-LIST , and if ACTION:BAN the IP is banned for BAN-TIME minutes.

A simplest explanation would be: The IPBAN resource puts in the blacklist the source IP address that has generated a number of authentication failures (for example, username and / or password of FTP access). Until the IP address is in the blacklist, it will inhibit access to the considered resource.

Configuring the SMTP resource is needed to send emails.

	Caution
	The IBAN is a service to be configured carefully, if errors are present, may not have access to Abilis!

	Important
	The blacklist table is stored in the IPBAN.DAT file in the location defined by the WDIR parameter. This means the list will be maintained even after Abilis restart.

30.1.1. IPBAN service parameters

This service is enabled by default for Abilis.

Use the following command to display the parameters of the service; the command d ipban ? displays the meaning of all parameters.

[11:35:17] ABILIS_CPX:d ipban

max-items:3000
ALERT:NO
WDIR:C:\APP\IPBAN\

- IPBAN service defaults ------------------------------------------------------
ACTION:BAN          MAX-FAIL:10     FIND-TIME:1440     BAN-TIME:10080  
WHITE-LIST:PrivateIpAdd

- IPBAN individual services ---------------------------------------------------
---------+------------+-----------+------------+-----------+-------------------
RES:     | ACTION:    | MAX-FAIL: | FIND-TIME: | BAN-TIME: | WHITE-LIST:
---------+------------+-----------+------------+-----------+-------------------
Ssh      | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
Telnet   | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
CtiSip   | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
CtiIax   | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
CtiVo    | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
Http     | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
Ftp      | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
Smtp     | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------
Pop3     | DFT        | DFT       | DFT        | DFT       | DFT       
---------+------------+-----------+------------+-----------+-------------------

Meaning of the most important parameters:

IP Addresses banning parameter(s):

max-items: Maximal number of simultaneously manageable IP addresses [1000..10000].
ALERT: Send an alert if the table reaches the 80% of its capacity [NO, 1..255].
WDIR: Directory where IPBAN data file is saved. Full path with drive letter ['C'..'Z'] terminated by '\'. Max 64 chars. Spaces require double quotes (E.g. "C:\My dir\").

ACTION: Action done when failure limit is reached [NONE: No action has to be executed; BAN: BAN the IP].
MAX-FAIL: Consecutive failures within FIND-TIME that triggers the ACTION [1..255].
FIND-TIME: Time interval for counting the consecutive failures [1..10080 min.].
BAN-TIME: Duration of the banning [NOMAX, 1..43200 min.].
WHITE-LIST: IP addresses that bypass the IPBAN control [#, IP/IR/RU/MR list name].

IP Addresses banning service(s) parameter(s):

ACTION: Action done when failure limit is reached [DFT: The default configured action; NONE: No action has to be executed; BAN: Ban the IP; ].
MAX-FAIL: Consecutive failures within FIND-TIME that triggers the ACTION [DFT, 1..255].
FIND-TIME: Time interval for counting the consecutive failures [DFT, 1..10080 min.].
BAN-TIME: Duration of the bannig [DFT, NOMAX, 1..43200 min.].
WHITE-LIST: IP addresses that bypass the IPBAN control [DFT, #, IP/IR/RU/MR list name].

The following command allows the administrator to change the configuration of the resource:

S IPBAN par:val [par:val] Set IP Addresses banning parameters and defaults

S IPBAN RES:val par:val [par:val] Set IP Addresses banning service(s) parameters

	Caution
	To activate the changes made on the upper case parameters, execute the initialization command init ipban

30.1.2. IPBAN BANNED

Use the following command to display the Banned IP

[12:23:44] ABILIS_CPX:d ipban banned

---------+---------------+----------+--------------+--------------+-----------+
         |               | Ban time |Remaining time| Elapsed time |  Queries  |
RES      |       IP      |  (min)   |   (mm:ss)    |   (mm:ss)    |           |
---------+---------------+----------+--------------+--------------+-----------+
Telnet    001.064.231.058      43200       21257:25       21942:41           4
Telnet    005.055.192.209      43200       29994:30       13205:37           3
Ssh       222.184.072.066      43200       33526:29        9673:42           5
Ftp       113.110.170.142      43200       42174:08        1025:52           2
...
---------+---------------+----------+--------------+--------------+-----------+

Banned IP addresses:348

In this example is show IP 222.184.72.66 which is blocked for resource SSH for 43200 minutes.

Meaning of the most important parameters:

Ban time

How long the IP must stay in the banned/alerted state (in min.). Current BAN-TIME parameter value.

Remaining time

How long the IP will still remain in the banned/alerted state (in min.). This value is computed as the difference between BanTime and ElapsedTime.

Elapsed time

Time elapsed since the last queries for this banned/alerted IP has been received (in min.).

Queries

Number of queries done for this once it has been banned/alerted.

	Note
	Every query during the BANNED condition restarts the BAN-TIME, in this way if the attacker continue the connection attempts it will remain banned.

	Important
	The blacklist table is stored in the IPBAN.DAT file in the location defined by the WDIR parameter. This means the list will be maintained even after Abilis restart.

To erase an IP from the blacklist use the following command:

[12:22:38] ABILIS_CPX:c ipban banned res:ssh ip:222.184.72.66

COMMAND EXECUTED 

[12:22:54] ABILIS_CPX:d ipban banned                             

---------+---------------+----------+--------------+--------------+-----------+
         |               | Ban time |Remaining time| Elapsed time |  Queries  |
RES      |       IP      |  (min)   |   (mm:ss)    |   (mm:ss)    |           |
---------+---------------+----------+--------------+--------------+-----------+
Telnet    001.064.231.058      43200       21257:25       21942:41           4
Telnet    005.055.192.209      43200       29994:30       13205:37           3
Ftp       113.110.170.142      43200       42174:08        1025:52           2
...
---------+---------------+----------+--------------+--------------+-----------+

Banned IP addresses:347

	Tip
	Interesting chapter: Section 82.33, “How to prevent brute force attacks”.

30.1.3. IPBAN FOUND

Use the following command to display currently found IP addresses (non Alerted and also non Banned):

[12:58:38] ABILIS_CPX:d ipban found

---------+---------------+-----------+-------------+--------------+
         |               | Failures  |  Find time  |Remaining time|
RES      |       IP      | (cur/max) |    (min)    |   (mm:ss)    |
---------+---------------+-----------+-------------+--------------+
Ssh       003.092.137.028         1/5          1440        1023:58
Ssh       008.026.094.190         1/5          1440        1260:59
Ssh       014.139.233.194         1/5          1440         976:19
Ssh       018.212.135.179         1/5          1440         341:16
Ssh       027.050.024.083         1/5          1440         852:21
Ssh       031.007.206.108         1/5          1440         505:19
Ssh       035.220.225.212         2/5          1440         587:20
Ssh       035.222.086.085         1/5          1440         669:20
Ssh       035.227.045.006         1/5          1440         649:13
Ssh       036.073.128.176         1/5          1440         811:04
Ssh       037.212.162.168         1/5          1440         901:09
Ssh       040.124.004.131         1/5          1440         547:00
Ssh       041.208.222.165         1/5          1440        1007:34
Ssh       041.226.024.021         2/5          1440         547:00
Ssh       079.036.199.008         2/5          1440        1064:19
Ssh       104.129.012.044         3/5          1440         623:24
...
---------+---------------+-----------+-------------+--------------+

Found IP addresses:113

Meaning of the most important parameters:

Failures: Number of failures done for this IP.
Find time: How long the IP can stay in the found state (in min.). Current FIND-TIME parameter value.
Remaining time: How long the IP will still remain in the found state (in min.). This value is computed as the difference between FindTime and ElapsedTime.

30.1.4. IPBAN diagnostics and statistics

30.1.4.1. IPBAN diagnostics

This command reports the current situation of the IPBAN resource:

[12:51:21] ABILIS_CPX:d d ipban

-----------+----------+
MAX-ITEMS  |      3000|
CUR-FREE   |       854|
CUR-USED   |      2146|
PEAK-USED  |      2360|
OVERFLOW   |         0|
STATE      |    NORMAL|
-----------+----------+

-----------+-----------+-----------+
RES:       |   FOUND   |  BANNED   |
-----------+-----------+-----------+
Ssh        |         35|         48|
Telnet     |        152|       1909|
CtiSip     |          0|          0|
CtiIax     |          0|          0|
CtiVo      |          0|          0|
Http       |          0|          0|
Ftp        |          0|          0|
Smtp       |          0|          0|
Pop3       |          0|          0|
-----------+-----------+-----------+
TOTAL      |        187|       1957|
-----------+-----------+-----------+

The meaning:

MAX-ITEMS

Current max numbers of IP that can be store in the ban list.

CUR-FREE

Current numbers of free places the ban list.

CUR-USED

Current numbers of used places the ban list.

PEAK-USED

Peak number of used places the ban list.

OVERFLOWS

Number of ban list overflows.

STATE

State of IPBAN database:

NORMAL - IPBAN database content is lower them 80% of capacity.
WARNING - IPBAN database content reached 80% of capacity.
OVERFLOW - IPBAN database is full.

Telnet/Ssh/CtiSip/CtiIax/Smtp/Pop3/Http/Ftp/CtiVo FOUND

Number of entries that hold a found IP for Telnet/Ssh/CtiSip/CtiIax/Smtp/Pop3/Http/Ftp/CtiVo.

Telnet/Ssh/CtiSip/CtiIax/Smtp/Pop3/Http/Ftp/CtiVo BANNED

Number of entries that hold a banned IP for Telnet/Ssh/CtiSip/CtiIax/Smtp/Pop3/Http/Ftp/CtiVo.

TOTAL FOUND/ALERTED/BANNED

Total number of entries that hold a found/alerted/banned IP.

30.1.4.2. IPBAN statistics

This command can help to understand what is happening, in case of troubles:

[12:59:56] ABILIS_CPX:d s ipban

--- Cleared 97 days 01:22:24 ago, on 13/03/2024 at 11:51:17 -------------------
-----------+-----------+-----------+
RES:       |AUTH-FAIL: |QUERIES:   |
-----------+-----------+-----------+
Ssh        |       7067|    1704121|
Telnet     |     246903|     503287|
CtiSip     |          0|          0|
CtiIax     |          0|          0|
CtiVo      |          0|     206153|
Http       |          4|       1108|
Ftp        |          0|          0|
Smtp       |          0|       5675|
Pop3       |          0|          0|
-----------+-----------+-----------+
TOTAL      |     253974|    2420344|
-----------+-----------+-----------+

With reference to the shown interval of time («Cleared 2 days 19:57:37 ago») these counters show the number of:

`AUTH-FAIL`	Number of wrong-password notifications received from `Telnet`/`Ssh`/`CtiSip`/`CtiIax`/`Smtp`/`Pop3`/`Http`/`Ftp`/`CtiVo`.
`QUERIES`	Number of `Telnet`/`Ssh`/`CtiSip`/`CtiIax`/`Smtp`/`Pop3`/`Http`/`Ftp`/`CtiVo` queries.
`TOTAL`	Total number of `AUTH-FAIL`, `QUERIES`, `MAIL-SUCC`, `MAIL-FAIL`.