The IP Manager
The “General” page
The Cerberus FTP Server IP Manager allows an administrator to selectively allow or deny access to the FTP server based upon IP address. The IP manager functions in one of two policy modes, either denying any IP addresses listed from logging into Cerberus FTP Server (functioning as a Blacklist), or only allowing IP addresses listed to log in (a Whitelist). The policy mode is controlled by a radio button at the bottom of the “General” tab page.
The IP list shows the IP address or IP address range and how long that address or address range is blocked for. Possible options for block time are “Forever” (Blacklist mode), “Never” (Whitelist mode), or a date/time value. If a date/time value is present, the IP address or IP address range is blocked from connecting until that date/time has elapsed (Blacklist or Whitelist mode). You can change how long an IP address entry is blocked for by right-clicking on that IP entry and selecting “Change Time” from the context menu that appears.
Adding a single IP address to the IP manager policy
IP addresses can be managed individually, or whole ranges of addresses can be affected by the current policy. To add a single address to the current policy, make sure the “Assign a range of addresses” check box is unselected. Then, enter the IP address you wish to add to the first IP address box. Finally, click the “Add” button immediately below the IP address box.
Adding a range of IP addresses to the IP manager policy
To add a range of addresses, first ensure the “Assign a range of addresses” check box is selected. Then, enter the beginning IP address in the “IP From” box and the ending IP address in the “IP To” box. The range will be interpreted as a contiguous range of addresses to block or allow. Finally, click the Add button immediately below the IP address box.
You can also enter a range of IP addresses in CIDR notation using the CIDR edit box. You can enter one CIDR range or multiple CIDR ranges. To enter multiple CIDR ranges, separate each CIDR range with a space or comma. The CIDR address will be converted to a contiguous range and added to the IP Manager list.
Deleting IP addresses from the current policy
To delete either an IP address or range of IP addresses from the current policy, select the item from the “IP Addresses” list view box. Once selected, press the Delete button. You can also select and delete multiple items at once from the IP manager by ctrl or shift-clicking multiple items in the list box. NOTE: You can also delete an IP address or a range of IP addresses by right-clicking on the selected IP and selecting “Delete” from the menu that appears.
Searching for an IP address
You can use the “Find” button at the top of the IP list box to search for an IP address in the list box. The “Find” button will select the first IP address or range of IP addresses containing the IP address you are searching for.
The “Auto-Blocking” page
The other use for the IP manager is the ability to configure an auto-blocking policy for the FTP server. Administrators can use the auto-blocking policy to help prevent DoS (Denial of Service) and brute force password guessing. If the auto-blocking policy is enabled, a user that continually fails to log into the server will be blocked from trying after a certain number of failed attempts. The number of failed attempts and the length of time the IP address will be blocked from attempting to log in can be configured from the “Auto-Blocking” page.
When Enable Auto-Blocking is enabled a failed attempt is logged whenever a user enters an incorrect password or tries to login with an invalid username. If Enable DoS Protection is selected then any attempt to connect to the server will be counted towards auto-blocking, even if the connection doesn’t attempt to authenticate. This can help prevent DoS attacks that try to tie up connections and overwhelm the server. DoS Protection can also be useful for services continuously probing the server with garbage data attempting to find security vulnerabilities. However, a successful login from an IP address resets the “Failed login attempts” counter to zero for the IP address.
The number of failed login attempts can be configured from the Pre-Blocked Settings frame. The Time before login counter reset edit control can be used to set the amount of time that must elapse before the Failed login attempt counter is reset.
The length of time an address is blocked can be configured using the Auto-Block Timeout setting. Select the Forever radio button to block a flagged IP address indefinitely, or select the “Block for X minutes” radio button to set the length of time the address is blocked. Once an address is blocked, the timeout period must elapse before the address is allowed to log in again.
IP addresses that have recently failed logins, but have not yet exceeded the Failed login attempt threshold, are displayed in the IP Addresses being “watched” list view. You can freely delete an address from the list view. Deleting the address has the effect of resetting the Failed Login attempt counter for that address to zero.
Immediately Ban these Users
Certain usernames are often tried by automated bots. You can configure Cerberus to automatically block the IP of any connection that attempts to login using one of these banned user names.
Differences in Auto-blocking between Blacklist mode and Whitelist mode
How auto-blocking works differs depending upon whether the IP manager is functioning in Blacklist or Whitelist mode. If the IP manager is functioning as a Blacklist (denying addresses listed in the IP manager), then whenever a connection exceeds the failed login attempt threshold, that connection’s IP address is added to the deny list.
Auto-blocking works differently for Whitelist mode (allowing only addresses listed to login to the server). In Whitelist mode, whenever a failed login attempt exceeds the failed login threshold, the IP address is either removed from the IP manager’s list of allowed IP addresses (if auto-blocking is set to block failed logins forever) or blocked for the Auto-Block Timeout period. The exception is if the IP address is part of a range of IP addresses. If an IP address is part of a range of allowed IP addresses, that range is not deleted.