Locks do not work anymore

[futurecomm]

We discovered that the locks (here RDP) do not Keep the attackers away on various systems. The IP's get locked and are Show in the lock table but the attacker is still able to brute force. On some systems there'is also an unlock error, that may be a hint. Reinstalling does not solve the problem.

[johanthegreat]

I experience the same troubles.
I discovered a fix. If I delete the attackers IP-address from the list, the program again locks it again after a while, and the intruder is locked out. The problem is that my list is getting very long, over 1000 entries, and there is not filterfunction to look for a specific IP, so its too much work to manually look one IP up and then delete it and then wait for it to be added (and blocked) again.

[futurecomm]

We found the problem inbetween. IDDS blocks all IP adresses in one firewall rule called "Blocked by Cyberarms Intrusion Detection_BlockAttacker_AllPorts" and the rule can only store several IP adresses to block (256? or less?). You can delete the rule to get blocking of actual IPs running again (IDDS will create a new rule). Or you can rename the rule to block the collected adresses permanently.
Due to this firewall limitation IDDS needs to spread the blocks to many rules or create rules for different source networks.

[maxemilian]

This problem is caused by the setting "Never unlock". As the IP addresses within a Windows Firewall rule are limited by number of characters, the maximum number of locks can be around 1000-1200 addresses.
Please do not use the unlock forever feature, because it causes issues with overflowing the firewall limits.

[johanthegreat]

I have now more than 3000 IP-locks. I was running it with permanent locks, I want those bastards to be locked out forever (!!!)
After some hours trying different solutions I had to delete cyberarms.idds.dbf, and after that I had to delete the rule created by cyberarms in windows firewall. That also made all other configuration disappear like my whitelist, which I had to create all over.
If now windows have this limitation (256, 1000 or whatever), it would be good to have cyberarms to automatically create a second, and a third rule to split them up in windows firewall. I tried to manually copy the rule, but then just one more rule with exactly the same name showing up, which I guess cyberarms will not be able to start over.
ok, thats all for now.

[maxemilian]

Hi Johan That’s right. The software currently supports only the single rule. On systems under heavy attack, it might not make sense to lock the guys forever. They might use 100.000 bots to attack your system – which will end up with very poor performance, as the firewall has to check against the rules on every connection request. The single attacking system is not that important to script kiddies who are having their bot net. The lockout forever feature was requested by a former customer and makes only sense when you just have a couple of idiots trying to hack you. In case of a DDoS attack or distributed break in attempt, it could fasten the DDoS. Having the default setting in place, Cyberarms blocks the brute force attack in the first few attempts which slows down the process. If one bot has about three to five attempts per 30 minutes, it will be impossible to crack passwords within thousands of years, whereas thousands attempts per second (without IDDS) might crack it within days. Best regards Max Maxemilian Hilbrand (Software & Systeme) CH: +41 71 511 722 0 AT (mobile): +43 660 703 92 54 <mailto:maxemilian.hilbrand@isicore.com> maxemilian.hilbrand@isicore.com isicore AG • Unterlettenstrasse 14 • CH-9443 Widnau Gerichtsstandort CH-9450 Altstätten, UID CHE-110.354.078 Verwaltungsratspräsident: Maxemilian Hilbrand <http://www.isicore.com/> www.isicore.com I <mailto:info@isicore.com> info@isicore.com Von: johanthegreat <notifications@github.com> Gesendet: Montag, 12. November 2018 14:15 An: EFTEC/Cyberarms <Cyberarms@noreply.github.com> Cc: Maxemilian Hilbrand <maxemilian.hilbrand@isicore.de>; Comment <comment@noreply.github.com> Betreff: Re: [EFTEC/Cyberarms] Locks do not work anymore (#4) I have now more than 3000 IP-locks. I was running it with permanent locks, I want those bastards to be locked out forever (!!!) After some hours trying different solutions I had to delete cyberarms.idds.dbf, and after that I had to delete the rule created by cyberarms in windows firewall. That also made all other configuration disappear like my whitelist, which I had to create all over. If now windows have this limitation (256, 1000 or whatever), it would be good to have cyberarms to automatically create a second, and a third rule to split them up in windows firewall. I tried to manually copy the rule, but then just one more rule with exactly the same name showing up, which I guess cyberarms will not be able to start over. ok, thats all for now. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#4 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AEgOwOeMl1eopTxvJve_MlEltSeU9nUbks5uuXRWgaJpZM4XXK2-> . <https://github.com/notifications/beacon/AEgOwCskGbki2GZAcFQqk7uu_Sdft7eRks5uuXRWgaJpZM4XXK2-.gif>

[johanthegreat]

Hello again.
I submitted a screenshot here. It shows that several hundreds of attempts within a single day gets through. I have now also changed to the default settings, how is this possible?
Best regards, Johan

[oleksandrkyselov]

It is still an issue currently at version 2.2.0

[maxemilian]

The new version 2.3 will be available soon. The lockout forever function will be removed because of those issues. We will cover the problem with persistent annoying attackers in a different and more global way in the near future.

[kazan-priv]

Sorry to bring up this old topic but problem seems to be quite serious.
There sems to be a serious issue with ver 2.2.0 (unless I'm missing something) where under heavy bruteforce attack software doesn't lock IP (doesn't add IP to Cyberarms' firewall rule). I never had "Hard lock forever" enabled. Cyberarms' firewall rule contains about 5 IPs.
My settings:

As you can see below there are thousands of incidents and IP was never locked. Any suggestions?

[maxemilian]

Kazan Can you please check if the Windows Firewall Policy is enabled? Thank you Max Von: kazan ***@***.***> Gesendet: Donnerstag, 22. Dezember 2022 11:49 An: EFTEC/Cyberarms ***@***.***> Cc: Maxemilian Hilbrand ***@***.***>; Comment ***@***.***> Betreff: Re: [EFTEC/Cyberarms] Locks do not work anymore (#4) Sorry to bring up this old topic but problem seems to be quite serious. There sems to be a serious issue with ver 2.2.0 (unless I'm missing something) where under heavy bruteforce attack software doesn't lock IP (doesn't add IP to Cyberarms' firewall rule). I never had "Hard lock forever" enabled. Cyberarms' firewall rule contains about 5 IPs. My settings: <https://user-images.githubusercontent.com/11707335/209116770-354ba9a3-d985-4b74-9657-fedb848ccf2d.png> As you can see below there are thousands of incidents and IP was never locked. Any suggestions? <https://user-images.githubusercontent.com/11707335/209117037-12aff8cd-875e-4e6c-b63f-11d0b51f2cf9.png> — Reply to this email directly, view it on GitHub <#4 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABEA5QEUPXH7DCJ6G46S6JTWOQW2RANCNFSM4F24VW7A> . You are receiving this because you commented. <https://github.com/notifications/beacon/ABEA5QHGA6RQ3DSHWXT3XWDWOQW2RA5CNFSM4F24VW7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOKE4PW7I.gif> Message ID: ***@***.***>

[kazan-priv]

Yes, firewall policy is enabled. I've been using Cyberarms since very long time and it works "9 out of 10 times".
I've seen people having similar problems like this one and there might be something in it as IP which was not locked was 5.181.86.12 and there was already similiar IP 5.181.86.22 which was alredy locked (you can't see it on my screenshot as it was much lower).