Open stiinek opened 4 years ago
Is Windows Firewall running?
How many IP addresses are already locked out?
Max
Von: stiinek notifications@github.com Gesendet: Mittwoch, 8. April 2020 11:39 An: EFTEC/Cyberarms Cyberarms@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Betreff: [EFTEC/Cyberarms] Lock for aaa.bbb.ccc.dd does not work, if aaa.bbb.ccc.ddd is already locked? (#13)
Hello, IDDS have already hard locked 176.113.115.151. Intrusion from 176.113.115.15 detected, after 10 attempts IP listed as hard locked in Current locks tab, but no line about hard lock in Security log tab, and also IP not added to FW rule.
Same situation also with pair 92.63.194.36 and 92.63.194.3
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/EFTEC/Cyberarms/issues/13 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ABEA5QFIJJUHY54XG6E5UITRLRA2TANCNFSM4MDZDZ6Q . https://github.com/notifications/beacon/ABEA5QHOWISCQORUWZAYVW3RLRA2TA5CNFSM4MDZDZ62YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4I4NAUOA.gif
Yes, FW is running, and other new IPs are blocked correctly. Pair 176.113.115.151/176.113.115.15 spotted on two different machines, 300 hard locks on first, 600 on second.
Hi, i confirm that issue. I think the mistake is in the function IsLocked To fix it we have to change how we check if an address is already blocked
somethig like this
internal bool IsLocked(string ipAddress) {
string AddressList;
try {
INetFwRule rule = GetRule(GetRuleName("BlockAttacker", 0));
AddressList = "," + rule.RemoteAddresses + ",";
return AddressList.Contains("," + ipAddress + ",");
//return rule.RemoteAddresses.Contains(ipAddress);
} catch (Exception ex) {
System.Diagnostics.EventLog.WriteEntry("IsLocked encountered an error: ", ex.Message, System.Diagnostics.EventLogEntryType.Error);
}
return false;
}
Hello, IDDS have already hard locked 176.113.115.151. Intrusion from 176.113.115.15 detected, after 10 attempts IP listed as hard locked in Current locks tab, but no line about hard lock in Security log tab, and also IP not added to FW rule.
Same situation also with pair 92.63.194.36 and 92.63.194.3