Documentation
9.10. Banning IP addresses¶
An ip-time-ban authentication method can be used to block/deny authentication requests coming from a specific IP address if they generate a number of consecutive authentication failures. This option can be used to help mitigate DDOS attempts to SFTPPlus services.
9.10.1. Introduction¶
The ban is active for a time interval, after which authentication requests made from the IP address are accepted again.
When the authentication method is restarted it will reset its internal record of source IP addressed which have previously generated failed authentication requests.
When the same authentication method is used for multiple file transfer services and the Local Manager services, it will use a single internal state for each username. Multiple consecutive authentication failures for different services have the same effect as multiple consecutive authentication failures for the same service.
Note
Add this authentication method as the first one in the list of active authentication methods to make sure the users are not accepted earlier by other authentication methods.
Warning
SFTPPlus is behind a load balancer, make sure that Proxy Protocol version 2 is enabled on both the load balancer and SFTPPlus file transfer services. Otherwise all the authentication requests will be made using the load balancer own IP address and not the client IP address.
Warning
Do not use this method if SFTPPlus is behind a Proxy/Gateway or any other network device which does not preserve the source IP address of the initial authentication request or does not support Proxy Protocol v2
The ban applies to the source IP address used to initiate the authentication requests.
If SFTPPlus server is behind a Proxy/Gateway, all requests will come from the gateway's own IP address.
Check that your network is not vulnerable to IP address spoofing .
9.10.2. name¶
- Default value
''
- Optional
Yes
- From version
2.10.0
- Values
Any text.
- Description
Human-readable short text used to identify this method.
9.10.3. description¶
- Default value
''
- Optional
Yes
- From version
2.10.0
- Values
Any text.
- Description
Human-readable text that describes the purpose of this authentication method.
9.10.4. type¶
- Default value
''
- Optional
No
- From version
2.10.0
- Values
application - Application accounts.
os - Accounts authenticated by the OS.
http - HTTP (unsecured).
ip-time-ban - Ban an IP address for a time interval.
deny-username - Deny authentication based on usernames.
anonymous - Anonymous account authentication.
ldap - Authenticate against an LDAP server.
local-file - Authenticate the accounts from a separate local file.
radius - Authenticate via an RADIUS server.
azure-ad - Azure Active Directory
- Description
This option specifies the type of the method. Each type has a set of specific configuration options
9.10.5. ban_interval¶
- Default value
3600
- Optional
Yes
- Values
Number of seconds.
- From version
3.2.0
- Description
Number of seconds for which authentication requests from the source IP are denied.
Default interval is 1 hour.
9.10.6. ban_after_count¶
- Default value
5
- Optional
Yes
- Values
Number of failed attempts.
- From version
3.2.0
- Description
Number of consecutive failed authentications which will result in blocking the source IP.