IP Added to Ban List Event
This Event is triggered when an IP address is added to the ban list by the system (not manually by an administrator). Administrators can configure Event Rules to capture this Event and send notifications or write to logs.
To define an IP Added to Ban List Event
-
Follow the procedures in Defining Event Rules.
-
In the Create New Rule dialog box, under Site Events, click IP Added to Ban List, and then click OK. The new Rule appears in the Rule Builder.
-
Add any (optional) Conditions (for example, If Event Reason, If Remote IP, If Server Running, etc.) and one or more Actions (for example, Send notification email).
-
The possible Event Reasons include DoS/Flood prevention trigger (permanent or temporary), Invalid password attempts exceeded, and Invalid username attempts exceeded.
-
Click Apply to save the Rule. The Rule appears similar to the Rule below.
IP Access-related Event Rules are limited to 50,000 rules. This can be increased with the advanced properties IPRulesLimit and AutobanLimit, however, you could experience performance issues at higher limits.
If the limit is reached, rather than not adding the IP, EFT performs a FIFO operation, adding the newly banned IPs, and removing the oldest banned IP (ONLY for auto-banned IPs; manually added IPs cannot be automatically removed.)
If an IP had to be removed, a WARNING is sent to the eft.log, indicating that a new IP has been added, and oldest IP has been dropped as the list is full. The DMZ Gateway has a correspondingly large list to handle any IPs passed to it by EFT.
Refer to the Knowledgebase article https://kb.globalscape.com/Knowledgebase/10877/Adjust-IP-Access-Rule-Count-Limit-and-IP-Auto-Ban-List-limit for more information.