How does the new blacklist automatic trigger work?

In Syncplify.me Server! version 1.1.6.16 we have introduced an additional automatic triggering method for the blacklist, and several users asked us to explain how it works with more detail.

The previous versions, in fact, were already able to trigger the automatic blacklisting of a client IP address upon a certain number (configurable) of failed authentication attempts.

In the screenshot here below, for instance, an IP address would be blacklisted (and banned for 15 minutes) upon committing 3 authentication errors in less than 20 minutes.

main_security

So, the key concept here is: what is an authentication error?

In older versions of Syncplify.me Server! was considered authentication error only when the remote client had sent wrong (yet complete) authentication data. Typical scenarios were:

  1. Wrong username or password
  2. Wrong username or failed PKI verification

Now, the approach here above is valid for FTP(S) protocols, but with regards to SFTP, being it a subsystem of SSH, there is one more tricky situation that needs to be addressed. In fact, the SSH protocol splits the authentication in 2 parts, and in the first part the remote user only sends a request to be allowed to authenticate, And only if such request is successful, then the remote client sends over the full authentication data, whether it is username/password or username/key.

As of version 1.1.6.16, Syncplify.me Server! now increases the error count also when the above request is sent for a user profile that does not exist, therefore actively preventing not only password-harvesting, but also the most common form of username-harvesting technique used to exploit SSH/SFTP servers.

Another step forward in security and peace of mind.

Print Friendly
Bookmark the permalink.

Comments are closed