6. Active defense
All the filters dicussed so far (authorized user profiles, authorized FTP operations, allowed directories, IP address lists)
make up some passive defense. However, passive defenses are always not enough to discourage hackers from further attempts.
Active defense brings in the idea that, if someone is trying to overcome our defenses, he will at least at the beginning
make some errors, by stumbling in some of the passive defenses. After recognizing such events, our active defense will start
rejecting any request coming from the "delinquent" IP address for a time long enough to discourage further assaults.
Warning. Active defense is a rather sophisticated weapon that requires some familiarity with SECTCP. It is therefore recommended
not to use it, until you feel completely in control of the passive defenses.
To set your Active Defense strategy, use Option 6 (Active Defense) from the "Secured TCP Menu" in Figure 2.
You will receive the following screen:
|Figure 8 - Active Defense initial menu|
Take Option 1 (Define your Active Defense strategy) to display the following screen:
|Figure 9 - Active Defense options|
- Enable Active Defense
Enter Y to enable it, enter N to disable it.
The execution is immediate (no need to restart FTP).
- Maximum number of consecutive security violations / Number of penalty minutes ...
By security violation we mean the fact that the remote FTP user entered a command that was blocked by the SECTCP passive defenses.
When a remote FTP user exceeds the specified maximum number of consecutive security violations, its IP address is sent to jail
for the number of minutes specified. During this period of time, any FTP request coming from that IP address is rejected, including new
- Check also privileged IP addresses
If you specify Y, all privileges given to the privileged IP addresses are suspended
(a red warning appears on the screen).
- Maximum number of consecutive invalid logon attempts / Whenever ... enroll ...
This is the most severe feature that you may enable. If someone tries to logon to FTP and is not able to specify an authorized user profile and the
related password for more than a given number of consecutive attempts, the connecting IP address is added to the list of the
excluded IP addresses. In this way that IP address will be rejected for ever, until you
remove it from the excluded list.
Work with client IP addresses violating security
Every time an FTP client exceeds the maximum number of consecutive security violations and is sent to jail for the specified number of minutes,
the event is logged on a "delinquent IP address journal". To display this journal, use Option 2 from the screen in Figure 8.
A screen like the following is displayed:
|Figure 10 - Delinquent IP address journal|
The entries are listed in date&time descending order. Let us comment them.
- The first entry is related to a jailing event not yet expired (the expiration time is displayed in red color).
The offending IP address was able to login through an authorized user profile,
then had a sequence of consecutive 6 violations (Maximum number of consecutive security violations was 5).
The letter C preceeding the number of violations means that the violations were in trying to excute
non-allowed commands or trying to access non-allowed directories.
- The second entry is related to a jailing event already expired.
The offending IP address had a sequence of consecutive 4 violations (Maximum number of consecutive invalid logon attempts was 3).
The letter L preceeding the number of violations means that the violations were in trying
to login with an user profile not in the list of authorized user profiles.
As a consequence, the IP address was added to the excluded IP address list.
- Use option 4 to remove an entry. If you use this option on an entry related to a jailing period not yet expired, you will
cancel the penalty.
- Use option 5 to display the FTP log (if active) for the period of time when the violations occurred, so that you may know
what the offending FTP requests were.