Titan FTP Server - Client keeps getting IP banned for bad user ID

JDCam
JDCam used Ask the Experts™
on
We use TITAN FTP server v11.x.
Having an issue where a clients IP keeps getting blacklisted.
In the logs, i can see that they are logging in with the wrong user ID one time and immediately getting banned.
In settings at user level I have turned off the settings to ban after X attempts, and added their IP to the Client level whitelist.

Logs are below showing the user getting banned. Any idea why the action is so quick and severe? any way to make it a little more forgiving ?

2018-03-01 12:53:37 [2/1256/84c] New incoming connection from IP address: 65.116.210.66, port: 40982, socket=1488
2018-03-01 12:53:37 [2/1256/84c] OnPostCreation(pBaseCxn=0x852fb80,socket=1488), sending the '220 Welcome' message
2018-03-01 12:53:37 [2/1488/84c] RESPONSE: 220 Titan FTP Server 11.30.2350 Ready.
2018-03-01 12:53:37 [2/1488/84c] COMMAND: USER [dayco@ftp.completeshipping.ca] ***
2018-03-01 12:53:37 [2/1488/84c] Trying to find user:dayco@ftp.completeshipping.ca
2018-03-01 12:53:37 [2/1488/84c] User "dayco@ftp.completeshipping.ca" not found, we will fail in PASS.; returning 331
2018-03-01 12:53:37 [2/1488/84c] FindUserEx("dayco@ftp.completeshipping.ca") returned Success.
2018-03-01 12:53:37 [2/1488/84c] Adding random sleep activity for 23ms to deter hacker from realizing username is invalid
2018-03-01 12:53:37 [2/1488/84c] RESPONSE: 331 User name okay, need password.
2018-03-01 12:53:37 [2/1488/84c] COMMAND: PASS <hidden>
2018-03-01 12:53:37 [2/1488/84c] User "dayco@ftp.completeshipping.ca" not found; returning 530
2018-03-01 12:53:37 [2/1488/84c] RESPONSE: 530 Not logged in.
2018-03-01 12:53:38 [2/1488/84c] COMMAND: TYPE [A] ***
2018-03-01 12:53:38 [2/1488/84c] RESPONSE: 200 Type set to A.
2018-03-01 12:53:38 [2/1488/84c] COMMAND: SITE [NAMEFMT 1] ***
2018-03-01 12:53:38 [2/1488/84c] _doPrecheck() - Invalid UserID or UserParams; returning 530
2018-03-01 12:53:38 [2/1488/84c] _precheck() is failing, closing control connection via KickSession
2018-03-01 12:53:38 [2/1488/84c] _doprecheck() failed; returning 530
2018-03-01 12:53:38 [2/1488/84c] RESPONSE: 530 Not logged in.
2018-03-01 12:53:38 [2/1488/84c] DoSendReply() will return an error to KickUserNow. bKickUserNow=1
2018-03-01 12:53:38 [2/1256/84c] Closed connection from IP address: 65.116.210.66, port: 40982
2018-03-01 12:53:38 [2/1256/848] New incoming connection from IP address: 65.116.210.66, port: 15165, socket=1476
2018-03-01 12:53:38 [2/1256/848] ALERT: Client IP 65.116.210.66 banned, rejecting connection

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
AlanConsultant

Commented:
Hi,

I have no experience with that particular software, but one thing I would try is to re-enable the 'settings to ban after X attempts' and change X to something big (9,999,999 or whatever it will take).

Just a shot in the dark, but worth a try.

Good luck!

Alan.
Check the config.  From the docs I see, it's near:  Server > Connections > IP Access.

There are two ways to ban.  Permanently or X-minutes.  Use a 1-minute ban for you users who are keying in passwords manually, and tripping the system.  If 1-minute bans are not sufficient to annoy hack attempts, you can make it 5 minutes.  Frustrating, but survivable, for a fat-fingered user.  For scripted attacks, the temp ban is enough to show the behavior in logs.

Author

Commented:
the settings available seem to have no effect.
Out of frustration, I had to renew the support to get access to the help desk.
Answer was quick.... Its a known bug in the version and I need to upgrade to resolve.
Not want I wanted to hear, but at least its a answer.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Points for the attempt
AlanConsultant

Commented:
Hi JD,

You should mark your own answer as the one that solved the problem so that you don't mislead others who find this later.

You can still give all (or maybe all but one) of the points to aleghart.

Alan.
Agreed.  Mine was _a_ correct answer for the config.  But not the only correct answer.  Your own solutions count...and are helpful to people searching.

Author

Commented:
Ok thanks.  There doesn't appear to be the ability to change the points once it is closed.
Will keep in mind for next time

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial