Cyberarms icon indicating copy to clipboard operation
Cyberarms copied to clipboard

Published 20 hours ago verified publisher icon EFTEC

Lock for aaa.bbb.ccc.dd does not work, if aaa.bbb.ccc.ddd is already locked?

Open stiinek opened this issue 4 years ago • 3 comments

Hello, IDDS have already hard locked 176.113.115.151. Intrusion from 176.113.115.15 detected, after 10 attempts IP listed as hard locked in Current locks tab, but no line about hard lock in Security log tab, and also IP not added to FW rule.

Same situation also with pair 92.63.194.36 and 92.63.194.3

stiinek avatar Apr 08 '20 09:04 stiinek

Is Windows Firewall running?

How many IP addresses are already locked out?

Max

Von: stiinek [email protected] Gesendet: Mittwoch, 8. April 2020 11:39 An: EFTEC/Cyberarms [email protected] Cc: Subscribed [email protected] Betreff: [EFTEC/Cyberarms] Lock for aaa.bbb.ccc.dd does not work, if aaa.bbb.ccc.ddd is already locked? (#13)

Hello, IDDS have already hard locked 176.113.115.151. Intrusion from 176.113.115.15 detected, after 10 attempts IP listed as hard locked in Current locks tab, but no line about hard lock in Security log tab, and also IP not added to FW rule.

Same situation also with pair 92.63.194.36 and 92.63.194.3

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/EFTEC/Cyberarms/issues/13 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ABEA5QFIJJUHY54XG6E5UITRLRA2TANCNFSM4MDZDZ6Q . https://github.com/notifications/beacon/ABEA5QHOWISCQORUWZAYVW3RLRA2TA5CNFSM4MDZDZ62YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4I4NAUOA.gif

maxemilian avatar Apr 08 '20 09:04 maxemilian

Yes, FW is running, and other new IPs are blocked correctly. Pair 176.113.115.151/176.113.115.15 spotted on two different machines, 300 hard locks on first, 600 on second.

stiinek avatar Apr 08 '20 09:04 stiinek

Hi, i confirm that issue. I think the mistake is in the function IsLocked To fix it we have to change how we check if an address is already blocked

somethig like this

    internal bool IsLocked(string ipAddress) {
        string AddressList;
        try {
            INetFwRule rule = GetRule(GetRuleName("BlockAttacker", 0));
            AddressList = "," + rule.RemoteAddresses + ",";
            return AddressList.Contains("," + ipAddress + ",");
            //return rule.RemoteAddresses.Contains(ipAddress);
        } catch (Exception ex) {
            System.Diagnostics.EventLog.WriteEntry("IsLocked encountered an error: ", ex.Message, System.Diagnostics.EventLogEntryType.Error);
        }
        return false;
    }

JuanmaSP avatar Jan 17 '21 23:01 JuanmaSP