SECTCP home | Easy400 | IBM i home
Public-Source
 
Introduction
FTP settings
Quick start
Securing FTP
WRK user profiles
WRK directories
WRK IP addresses
Active Defense
Logging
VLDL vs USRPRF
User exit pgm
TELNET settings
Access-Reject Messages
HTTP logs
 
Download
 
 

 
previous page page 6 out of 16 next page
FTP settings (5/7)
6. Active defense

All the filters dicussed so far (authorized user profiles, authorized FTP operations, allowed directories, IP address lists) make up some passive defense. However, passive defenses are always not enough to discourage hackers from further attempts.

Active defense brings in the idea that, if someone is trying to overcome our defenses, he will at least at the beginning make some errors, by stumbling in some of the passive defenses. After recognizing such events, our active defense will start rejecting any request coming from the "delinquent" IP address for a time long enough to discourage further assaults.

Warning. Active defense is a rather sophisticated weapon that requires some familiarity with SECTCP. It is therefore recommended not to use it, until you feel completely in control of the passive defenses.

To set your Active Defense strategy, use Option 6 (Active Defense) from the "Secured TCP Menu" in Figure 2. You will receive the following screen:

Figure 8 - Active Defense initial menu

Take Option 1 (Define your Active Defense strategy) to display the following screen:

Figure 9 - Active Defense options
  1. Enable Active Defense
    Enter Y to enable it, enter N to disable it.
    The execution is immediate (no need to restart FTP).
  2. Maximum number of consecutive security violations / Number of penalty minutes ...
    By security violation we mean the fact that the remote FTP user entered a command that was blocked by the SECTCP passive defenses.
    When a remote FTP user exceeds the specified maximum number of consecutive security violations, its IP address is sent to jail for the number of minutes specified. During this period of time, any FTP request coming from that IP address is rejected, including new login's.
  3. Check also privileged IP addresses
    If you specify Y, all privileges given to the privileged IP addresses are suspended (a red warning appears on the screen).
  4. Maximum number of consecutive invalid logon attempts / Whenever ... enroll ...
    This is the most severe feature that you may enable. If someone tries to logon to FTP and is not able to specify an authorized user profile and the related password for more than a given number of consecutive attempts, the connecting IP address is added to the list of the excluded IP addresses. In this way that IP address will be rejected for ever, until you remove it from the excluded list.

Work with client IP addresses violating security

Every time an FTP client exceeds the maximum number of consecutive security violations and is sent to jail for the specified number of minutes, the event is logged on a "delinquent IP address journal". To display this journal, use Option 2 from the screen in Figure 8.
A screen like the following is displayed:

Figure 10 - Delinquent IP address journal

The entries are listed in date&time descending order. Let us comment them.

  • The first entry is related to a jailing event not yet expired (the expiration time is displayed in red color).
    The offending IP address was able to login through an authorized user profile, then had a sequence of consecutive 6 violations (Maximum number of consecutive security violations was 5).
    The letter C preceeding the number of violations means that the violations were in trying to excute non-allowed commands or trying to access non-allowed directories.
  • The second entry is related to a jailing event already expired.
    The offending IP address had a sequence of consecutive 4 violations (Maximum number of consecutive invalid logon attempts was 3).
    The letter L preceeding the number of violations means that the violations were in trying to login with an user profile not in the list of authorized user profiles. As a consequence, the IP address was added to the excluded IP address list.

Options:

  • Use option 4 to remove an entry. If you use this option on an entry related to a jailing period not yet expired, you will cancel the penalty.
  • Use option 5 to display the FTP log (if active) for the period of time when the violations occurred, so that you may know what the offending FTP requests were.
previous page next page
    Contact