New to the community? Start here

Hosting SFTP accounts inaccessible

SFTP for my servers seems not working for all account, I’m sure that the username and password are correct. However, I think that I entered them wrong a few times before they got blocked.

Mon, 4 Feb 2019 5:29:04
  • Predrag Dubajic
    • Support

    Hey Tony,

    There seems to be a limit to two attempts with the SFTP login and after that, the IP gets blocked, I was able to replicate the same thing on one of my installations.

    I have pinged our devs about this to check what’s the lockout time and how it can be whitelisted again.

    I was able to get it working again by using VPN to change my IP, so that can be used as a temp solution until we have further info to share.

    Best regards,

    Predrag

  • Tony G
    • Mr. LetsFixTheWorld

    I appreciate that there is an IP ban. It’s protection for all of us. And I appreciate the offer to whitelist my IP. It would be easy to say “yes, please fix My problem” but that would be a bit selfish. And if my “mostly static” IP with my local cable/net provider changes then we’d be back to start.

    So for a broader solution it would be better if I just used the right password, and, now that I know there is a 6 hour block, I can wait as a penalty for my folly. :slight_smile:

    But to slightly improve on this situation I’ll propose some enhancements:

    1) A notification in the Hosting area when IPs have been blocked … In this case no one had any idea what was happening, including support. We treated it as a problem for lack of other information.

    2) An email notification when an IP is banned. I feel a need to add the word “duh” here.

    3) A one-hour IP ban.

    4) An option in the Hosting area to disable the ban for a specific IP.

    5) Before banning an IP, check it in a site-specific list, whether .htaccess or otherwise.

    6) If .htaccess doesn’t work, consider a textbox in the Hosting management area for whitelisted IPs.

    7) This could be a security risk, though a small one : Auto-whitelist IPs that have had a successful login within the last 24 hours.

    Just implement one of the above, and I think this situation can be readily resolved/avoided for most of us.

    Thanks!

  • Predrag Dubajic
    • Support

    Hi Tony,

    This protection was added to prevent bots from taking advantage and when you reported the issue it was discussed further and sysadmins are already working on tweaking number of attempts on set time so it will not affect regular users so quickly but it will rather be focused on bot behavior so this shouldn’t happen again after the change :slight_smile:

    I will also pass them over your suggestions for further discussion.

    Best regards,

    Predrag