Locks do not work anymore #4
Comments
|
I experience the same troubles. |
|
We found the problem inbetween. IDDS blocks all IP adresses in one firewall rule called "Blocked by Cyberarms Intrusion Detection_BlockAttacker_AllPorts" and the rule can only store several IP adresses to block (256? or less?). You can delete the rule to get blocking of actual IPs running again (IDDS will create a new rule). Or you can rename the rule to block the collected adresses permanently. |
|
This problem is caused by the setting "Never unlock". As the IP addresses within a Windows Firewall rule are limited by number of characters, the maximum number of locks can be around 1000-1200 addresses. |
|
I have now more than 3000 IP-locks. I was running it with permanent locks, I want those bastards to be locked out forever (!!!) |
|
Hi Johan
That’s right. The software currently supports only the single rule. On systems under heavy attack, it might not make sense to lock the guys forever. They might use 100.000 bots to attack your system – which will end up with very poor performance, as the firewall has to check against the rules on every connection request.
The single attacking system is not that important to script kiddies who are having their bot net.
The lockout forever feature was requested by a former customer and makes only sense when you just have a couple of idiots trying to hack you. In case of a DDoS attack or distributed break in attempt, it could fasten the DDoS.
Having the default setting in place, Cyberarms blocks the brute force attack in the first few attempts which slows down the process. If one bot has about three to five attempts per 30 minutes, it will be impossible to crack passwords within thousands of years, whereas thousands attempts per second (without IDDS) might crack it within days.
Best regards
Max
Maxemilian Hilbrand (Software & Systeme)
CH: +41 71 511 722 0
AT (mobile): +43 660 703 92 54
<mailto:[email protected]> [email protected]
isicore AG • Unterlettenstrasse 14 • CH-9443 Widnau
Gerichtsstandort CH-9450 Altstätten, UID CHE-110.354.078
Verwaltungsratspräsident: Maxemilian Hilbrand
<http://www.isicore.com/> www.isicore.com I <mailto:[email protected]> [email protected]
Von: johanthegreat <[email protected]>
Gesendet: Montag, 12. November 2018 14:15
An: EFTEC/Cyberarms <[email protected]>
Cc: Maxemilian Hilbrand <[email protected]>; Comment <[email protected]>
Betreff: Re: [EFTEC/Cyberarms] Locks do not work anymore (#4)
I have now more than 3000 IP-locks. I was running it with permanent locks, I want those bastards to be locked out forever (!!!)
After some hours trying different solutions I had to delete cyberarms.idds.dbf, and after that I had to delete the rule created by cyberarms in windows firewall. That also made all other configuration disappear like my whitelist, which I had to create all over.
If now windows have this limitation (256, 1000 or whatever), it would be good to have cyberarms to automatically create a second, and a third rule to split them up in windows firewall. I tried to manually copy the rule, but then just one more rule with exactly the same name showing up, which I guess cyberarms will not be able to start over.
ok, thats all for now.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#4 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AEgOwOeMl1eopTxvJve_MlEltSeU9nUbks5uuXRWgaJpZM4XXK2-> . <https://github.com/notifications/beacon/AEgOwCskGbki2GZAcFQqk7uu_Sdft7eRks5uuXRWgaJpZM4XXK2-.gif>
|
|
Hello again.
|
|
It is still an issue currently at version 2.2.0 |
|
The new version 2.3 will be available soon. The lockout forever function will be removed because of those issues. We will cover the problem with persistent annoying attackers in a different and more global way in the near future. |
|
Sorry to bring up this old topic but problem seems to be quite serious. |
|
Kazan
Can you please check if the Windows Firewall Policy is enabled?
Thank you
Max
Von: kazan ***@***.***>
Gesendet: Donnerstag, 22. Dezember 2022 11:49
An: EFTEC/Cyberarms ***@***.***>
Cc: Maxemilian Hilbrand ***@***.***>; Comment ***@***.***>
Betreff: Re: [EFTEC/Cyberarms] Locks do not work anymore (#4)
Sorry to bring up this old topic but problem seems to be quite serious.
There sems to be a serious issue with ver 2.2.0 (unless I'm missing something) where under heavy bruteforce attack software doesn't lock IP (doesn't add IP to Cyberarms' firewall rule). I never had "Hard lock forever" enabled. Cyberarms' firewall rule contains about 5 IPs.
My settings:
<https://user-images.githubusercontent.com/11707335/209116770-354ba9a3-d985-4b74-9657-fedb848ccf2d.png>
As you can see below there are thousands of incidents and IP was never locked. Any suggestions?
<https://user-images.githubusercontent.com/11707335/209117037-12aff8cd-875e-4e6c-b63f-11d0b51f2cf9.png>
—
Reply to this email directly, view it on GitHub <#4 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABEA5QEUPXH7DCJ6G46S6JTWOQW2RANCNFSM4F24VW7A> .
You are receiving this because you commented. <https://github.com/notifications/beacon/ABEA5QHGA6RQ3DSHWXT3XWDWOQW2RA5CNFSM4F24VW7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOKE4PW7I.gif> Message ID: ***@***.***>
|
|
Yes, firewall policy is enabled. I've been using Cyberarms since very long time and it works "9 out of 10 times". |
We discovered that the locks (here RDP) do not Keep the attackers away on various systems. The IP's get locked and are Show in the lock table but the attacker is still able to brute force. On some systems there'is also an unlock error, that may be a hint. Reinstalling does not solve the problem.
The text was updated successfully, but these errors were encountered: