Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > File Transfer

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 10-16-2013, 08:39 AM
jimbobmcgee jimbobmcgee is offline
Registered User
 
Join Date: Apr 2005
Posts: 20
Alternative means to handle failed authentications

I'm having some trouble preventing spurious connections to my load balanced SFTP servers, because the load balancer proxies the connection to the server, thus obscuring the source IP with its own (making the Deny Hosts feature effective useless).

I appreciate that the lack of SSH inspection is a limitation of the load balancer in question (and not VShell), so I've started looking at possible alternatives, both leveraging the Authentication Failed trigger to do either of the following:
  1. Tally the source port (as determined by the load balancer, and seen by VShell) to the source IP (as seen by the load balancer) and denying said source IP in the load balancer's access list (using the load balancer's API)
  2. Wait a number of seconds (i.e. to significantly slow down the rate of automated connection attempts)
I can't do the first, because there is no substitution variable for the client port that I can use in the trigger, so I can't pass the port number to the trigger script without strenuously mining the log file.

I can't do the second, because the trigger appears to run out-of-band, so the wait does not impose itself on the connection in question. This would probably also affect the first since, if the trigger does not wait, the connection could be gone from the load balancer before the script can tally the port to an IP.

Is there any way I can make the trigger run in-band (e.g. can a "wait for exit" option be added to the trigger definition)?

Instead, is there any way a tarpitting-style wait option could be added natively to the VShell app?

Are there any other thoughts on how I might achieve some measure of control over spurious connections (without resorting to taking the service out of load balancing)?

J.
Reply With Quote
 

Tags
authentication , triggers , vshell


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 10:22 AM.