Blog

Managed File Transfer and Network Solutions

How To Block Suspicious IP Addresses When MFT Server Is Behind MFT Gateway

Posted by John Carl Villanueva on Thu, Jan 17, 2019 @ 10:07 PM

If you've been using JSCAPE MFT Server, you probably already know it has a built-in feature that enables it to block suspicious IP addresses. However, if your MFT Server instance is placed behind a NAT or reverse proxy like JSCAPE MFT Gateway, there can be a bit of a problem. 

block_ip_mft_gateway

Prefer watching instead of reading? Play the video below.

 

 

Blocking suspicious IP addresses on MFT Server

The feature we're talking about can be found in the Connections module. There you'll find a couple of settings which, if enabled, can disable (block) an IP address. One of them blocks an IP if the client connecting from it has been making too many invalid password attempts. The second one blocks an IP address if the client has been making too many concurrent connections. 

 

disable ip after

 

Let me explain how these settings can be useful. Let's start with the first, i.e. blocking an IP address if the client connecting from it has been making too many invalid password attempts. This can be useful because, although a user that's been making too many invalid password attempts might simply mean that that user might have forgotten his/her password, it could also be indicative of a brute force attack. And one way to counter such an attack is to simply block the attacker's IP address. 

The second one, which blocks an IP address if the client connecting from it has been making too many concurrent connections can also be useful because this behaviour is symptomatic of a Denial-of-Service (DoS) attack. 

Here's a portion of the domain log showing 3 invalid login attempts and a subsequent IP block. 

 

connection rejected

 

You can see all blocked IP addresses in the IP Access module.

 

blocked ip address

 

So, to counter these two types of attacks, you just simply enable and configure those two settings. Problem solved. Umm, not so fast. If your MFT Server is deployed behind a NAT or reverse proxy like MFT Gateway, all source addresses of all incoming connections will be the IP address of MFT Gateway. As a consequence, those settings will end up blocking that IP address and, consequently, all clients (including legitimate ones) that wish to connect to MFT Server but have to go through MFT Gateway.

Not a good thing. So, here's the proper way to do it.

The proper way to block IP addresses

What we need to do involves the following steps. First, we need to change the 'Disable IP...' setting with the 'Flag IP after...' setting. So, instead of immediately blocking the suspicious IP, MFT Server will just flag it first. 

 

flag ip after

 

Second, we need to create a trigger that would listen to the 'IP Flagged' event type and then respond with a 'Gateway Block IP' trigger action. The 'Gateway Block IP' trigger action is designed to work with MFT Gateway so that, instead of having to block the IP address at MFT Server, that responsibility will be delegated to MFT Gateway. This is actually a good thing because MFT Gateway would have knowledge of the actual source IP address of the client that's doing all these invalid login attempts. As such, it would be able to block that IP address itself. 

So, let's just create a new trigger...

 

add trigger for gateway block ip

 

Give it a name and select the IP Flagged event type...

 

add trigger for gateway block ip event type

We can just click Next for now...

 

gateway block ip trigger condition

 

Add the 'Gateway Block IP' trigger action...

 

gateway block ip action

 

And specify the action parameters...

First parameters to enter are the MFT Gateway's IP address and the administrative login credentials.

 

gateway block ip action parameters 1

 

You would also need to enter the Client IP, Client Port, Server IP, and Server Port. The easiest way would be to just use the variables for those values from the Add Variable dialog.

 

gateway block ip action parameters 2b

 

And so, once you've created that trigger, every time a client makes too many invalid login attempts, the IP address of that client will be blocked on the MFT Gateway instance. You can see that trigger being activated in the logs...

 

ip has been blocked on the gateway

 

And see the actual client IP address being blocked in the IP Access module of MFT Gateway.

 

blocked ip at mft gateway

 

Would you like to try this out yourself? Download the free, fully-functional Starter Editions of JSCAPE MFT Server and JSCAPE MFT Gateway now. 

 

Download JSCAPE MFT Server

Download Now 

 

Download JSCAPE MFT Gateway

Download Now

 

Want to be updated on posts like this? Connect with us...

 

Topics: JSCAPE MFT Server, JSCAPE MFT Gateway, Secure File Transfer, Business Process Automation, Tutorials