Titan FTP Server - Client keeps getting IP banned for bad user ID

We use TITAN FTP server v11.x.
Having an issue where a clients IP keeps getting blacklisted.
In the logs, i can see that they are logging in with the wrong user ID one time and immediately getting banned.
In settings at user level I have turned off the settings to ban after X attempts, and added their IP to the Client level whitelist.

Logs are below showing the user getting banned. Any idea why the action is so quick and severe? any way to make it a little more forgiving ?

2018-03-01 12:53:37 [2/1256/84c] New incoming connection from IP address: 65.116.210.66, port: 40982, socket=1488
2018-03-01 12:53:37 [2/1256/84c] OnPostCreation(pBaseCxn=0x852fb80,socket=1488), sending the '220 Welcome' message
2018-03-01 12:53:37 [2/1488/84c] RESPONSE: 220 Titan FTP Server 11.30.2350 Ready.
2018-03-01 12:53:37 [2/1488/84c] COMMAND: USER [dayco@ftp.completeshipping.ca] ***
2018-03-01 12:53:37 [2/1488/84c] Trying to find user:dayco@ftp.completeshipping.ca
2018-03-01 12:53:37 [2/1488/84c] User "dayco@ftp.completeshipping.ca" not found, we will fail in PASS.; returning 331
2018-03-01 12:53:37 [2/1488/84c] FindUserEx("dayco@ftp.completeshipping.ca") returned Success.
2018-03-01 12:53:37 [2/1488/84c] Adding random sleep activity for 23ms to deter hacker from realizing username is invalid
2018-03-01 12:53:37 [2/1488/84c] RESPONSE: 331 User name okay, need password.
2018-03-01 12:53:37 [2/1488/84c] COMMAND: PASS <hidden>
2018-03-01 12:53:37 [2/1488/84c] User "dayco@ftp.completeshipping.ca" not found; returning 530
2018-03-01 12:53:37 [2/1488/84c] RESPONSE: 530 Not logged in.
2018-03-01 12:53:38 [2/1488/84c] COMMAND: TYPE [A] ***
2018-03-01 12:53:38 [2/1488/84c] RESPONSE: 200 Type set to A.
2018-03-01 12:53:38 [2/1488/84c] COMMAND: SITE [NAMEFMT 1] ***
2018-03-01 12:53:38 [2/1488/84c] _doPrecheck() - Invalid UserID or UserParams; returning 530
2018-03-01 12:53:38 [2/1488/84c] _precheck() is failing, closing control connection via KickSession
2018-03-01 12:53:38 [2/1488/84c] _doprecheck() failed; returning 530
2018-03-01 12:53:38 [2/1488/84c] RESPONSE: 530 Not logged in.
2018-03-01 12:53:38 [2/1488/84c] DoSendReply() will return an error to KickUserNow. bKickUserNow=1
2018-03-01 12:53:38 [2/1256/84c] Closed connection from IP address: 65.116.210.66, port: 40982
2018-03-01 12:53:38 [2/1256/848] New incoming connection from IP address: 65.116.210.66, port: 15165, socket=1476
2018-03-01 12:53:38 [2/1256/848] ALERT: Client IP 65.116.210.66 banned, rejecting connection

Open in new window

LVL 1
JDCamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AlanConsultantCommented:
Hi,

I have no experience with that particular software, but one thing I would try is to re-enable the 'settings to ban after X attempts' and change X to something big (9,999,999 or whatever it will take).

Just a shot in the dark, but worth a try.

Good luck!

Alan.
aleghartCommented:
Check the config.  From the docs I see, it's near:  Server > Connections > IP Access.

There are two ways to ban.  Permanently or X-minutes.  Use a 1-minute ban for you users who are keying in passwords manually, and tripping the system.  If 1-minute bans are not sufficient to annoy hack attempts, you can make it 5 minutes.  Frustrating, but survivable, for a fat-fingered user.  For scripted attacks, the temp ban is enough to show the behavior in logs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JDCamAuthor Commented:
the settings available seem to have no effect.
Out of frustration, I had to renew the support to get access to the help desk.
Answer was quick.... Its a known bug in the version and I need to upgrade to resolve.
Not want I wanted to hear, but at least its a answer.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

JDCamAuthor Commented:
Points for the attempt
AlanConsultantCommented:
Hi JD,

You should mark your own answer as the one that solved the problem so that you don't mislead others who find this later.

You can still give all (or maybe all but one) of the points to aleghart.

Alan.
aleghartCommented:
Agreed.  Mine was _a_ correct answer for the config.  But not the only correct answer.  Your own solutions count...and are helpful to people searching.
JDCamAuthor Commented:
Ok thanks.  There doesn't appear to be the ability to change the points once it is closed.
Will keep in mind for next time
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
FTP

From novice to tech pro — start learning today.