Blacklist Support

9.9A

Blacklist IP support in the PWS server prevents connections from IP addresses found in the list. The blacklist IP support is implemented to support both non-SSL IP filtering and SSL socket operations.

 

The basic blacklist operations are implemented:

 

1.   Pre-load a blacklist file that defines a set of IP addresses to reject when immediately detected. This is available for both non-SSL and SSL blacklist support.

2.   Monitor current blacklist IP addresses to reject and track accept logon attempts accessing the PWS server.

3.   PWS commands '-br', '-bd', and '-bl' have been added to manage the PWS blacklist operations.

4.   The non-SSL support is only enabled when the appropriate blacklist keywords named PLBWEB_BLACKLIST_FILE and PLBWEB_BLACKLIST_REPORT are declared in the 'plbwebsrv.ini' configuration file.

5.   The SSL blacklist support is always enabled to detect and monitor malicious SSL logon attempts which could disrupt PWS SSL logon operations. The new keywords named PLBWEB_SSL_BLACKLIST_FILE and PLBWEB_SSL_BLACKLIST_REPORT can optionally allow the PWS administrator to define the blacklist files. If these keywords are not used, the PWS uses default pre-defined blacklist file names. The SSL blacklist support dynamically detects SSL accept logons that take an excessive amount of time to perform the required SSL accept operations to finish the SSL connection.

6.   The following keywords support the blacklist implementation:

 

PLBWEB_BLACKLIST_FILE

 

PLBWEB_BLACKLIST_REPORT

 

PLBWEB_SSL_BLACKLIST_FILE

 

PLBWEB_SSL_BLACKLIST_REPORT

 

PLBWEB_SSL_ACCEPT_TIMEOUT

 

PLBWEB_SSL_ACCEPT_MAX

 

PLBWEB_SSL_LOCKOUT_MAX

Note the following:

1.    The following plbwebsrv.exe commands manage the blacklist operations:

plbwebsrv -br (reset blacklist)
This command causes the PWS server to clear all of the current blacklist data. See the 'non-SSL' and 'SSL' descriptions for specific details on the reset blacklist operation.
plbwebsrv -bd (dump blacklist)
This command causes the PWS server to dump the current PWS blacklist data into a dump file with the data format expected\used when pre-loading blacklist data. See the 'non-SSL' and 'SSL' descriptions for specific details on the dump blacklist operation.

 

The data in the dump file has a format which is the same as expected when a blacklist is pre-loaded. The data format can be partial or exact IP addressing using this format:

 

nnn.nnn.nnn.nnn //Exact IP address

nnn.nnn.nnn. //Partial IP address

nnn.nnn. //Partial IP address

nnn. //Partial IP address

Example:

 

112

156.112

192.168.1.22

192.168.1.23

192.168.1.5

plbwebsrv -bl (output a blacklist listing
This command causes the PWS server to output the current PWS blacklist data into a report\listing file. See the 'non-SSL' and 'SSL' descriptions for specific details on the listing blacklist operation.

 

The data in the listing file has a format to give the blacklist IP address and the current usage count of the blacklist IP. The format is the listing output data is as follows:

 

1 Locked I/P Address 112. has 0 hits

2 Locked I/P Address 156.112. has 0 hits

3 Locked I/P Address 192.168.1.12 has 11 hits

4 Error I/P Address 192.168.1.22 has 2 hits

5 Locked I/P Address 192.168.1.23 has 0 hits

6 Locked I/P Address 192.168.1.5 has 0 hits

Where:

Locked
Indicates that the IP address(s) are locked out and not allowed to make a connection to the PWS server.
Error
Indicates that the IP address(s) have caused a logon accept failure at least 1 time. However, the IP is not locked out.

Blacklist for non-SSL socket accept operations:

 

The non-SSL blacklist support is only enabled when the PLBWEB_BLACKLIST_FILE keyword is declared in the 'plbwebsrv.ini' configuration file settings. If this keyword does not exist in the PWS INI, the PWS server does not enable non-SSL blacklist monitoring. When the non-SSL blacklist monitoring is enabled, the PWS performs the following operations:

 

1.   The file specified by the PLBWEB_BLACKLIST_FILE keyword pre-loads a user defined IP blacklist when the PWS starts. If this keyword is not specified in 'plbwebsrv.ini' configuration, the PWS does not peform the non-SSL IP blacklist filtering. If the PWS options '-br' or '-bd' is executed, this keyword file is used for non-SSL support.

 

PLBWEB_BLACKLIST_FILE={[path]+filename}

 

2.   The file specified by the PLBWEB_BLACKLIST_REPORT keyword specifies the output file that receives the non-ssl IP blacklist when the PWS command option '-bl' is executed.

 

PLBWEB_BLACKLIST_REPORT={[path]+filename}

 

3.   When a non-SSL logon occurs, the PWS matches the new accept logon peer IP to the current IP blacklist. If the new logon IP is found on the IP blacklist, the connection is immediately closed before any TCP\IP communications are attempted.

 

4.    The new PWS command options '-br', '-bd', and '-bl' can be used to reset, dump, or list the current non-SSL blacklist IP addresses only when the PLBWEB_BLACKLIST_FILE and\or PLBWEB_BLACKLIST_REPORT keywords are used.

Blacklist Keywords:

PLBWEB_BLACKLIST_FILE={[path]+filename]
This keyword file specifies the filename used to pre-load the blacklist IP addresses used for non-SSL IP filtering. If this keyword is not used, the PWS does not perform any blacklist IP filtering.
PLBWEB_BLACKLIST_REPORT={[path]+filename]
This keyword file specifies the filename used to output the current non-SSL blacklist IP addresses being used for non-SSL IP filtering along with the usage\activity count for the IP.

PWS commands used when PLBWEB_BLACKLIST_FILE and PLBWEB_BLACKLIST_REPORT keywords are used:

plbwebsrv -br (reset blacklist)
plbwebsrv -bd (dump blacklist)
plbwebsrv -bl (output a blacklist report)

 

Blacklist for SSL socket operations:

 

The SSL blacklist support is always enabled to detect and monitor malicious or unexpected SSL logon attempts which can disrupt PWS SSL logon operations. There are two new keywords named PLBWEB_SSL_BLACKLIST_FILE and PLBWEB_SSL_BLACKLIST_REPORT that allow a PWS administrator to define the SSL blacklist file which contains blacklist IP addresses to be filtered. If these keywords are not used, the PWS uses default pre-defined blacklist file names as follows:

plbwebsrv_ssl_blacklist.txt
plbwebsrv_ssl_blacklist_report.txt

 

The PWS performs the following operations for the SSL blacklist monitoring:

 

1.   The SSL blacklist support dynamically detects SSL accept logons that take an excessive amount of time to perform the required SSL accept operations to finish the SSL connection.

2.   The file specified by the PLBWEB_SSL_BLACKLIST_FILE keyword pre-loads and outputs an IP blacklist when the PWS starts. If this keyword is not specified in 'plbwebsrv.ini' configuration, the PWS uses the default file name 'plbwebsrv_ssl_blacklist.txt' to pre-load and\or receive the dumped blacklist IP addresses. If the PWS option '-br' or '-bd' is executed, the current blacklist data can be reset or dumped using the current blacklist IP data file.

 

PLBWEB_SSL_BLACKLIST_FILE={[path]+filename}

 

3.   The file specified by the PLBWEB_SSL_BLACKLIST_REPORT keyword specifies the output file that receives the SSL IP blacklist report when the PWS command option PWS command '-bl' is executed.

 

PLBWEB_SSL_BLACKLIST_REPORT={[path]+filename}

 

4.   When a SSL logon occurs, the PWS matches the new accept logon peer IP to the current SSL IP blacklist being used. If the new logon IP is found on the IP blacklist and the usage count executes the maximum allowed attempt count, the connection is immediately closed before any SSL TCP\IP communications are attempted.

 

5.   The new PWS command options '-br', '-bd', and '-bl' can be used to reset, dump, or list the current SSL blacklist IP addresses when the PWS server is running.

 

5. The PWS server always dumps SSL blacklist data when the server shuts down.

 

6. Dynamic Blacklist Filtering is always enabled as follows:

 

a. If the PWS SSL logon detects excessive time in a ssl_accept, the

 

1) This time can be configured in seconds using the PLBWEB_SSL_ACCEPT_TIMEOUT keyword.

 

2) When a timeout occurs and the SSL IP logon timeout has occurred an excessive number of times, the SSL IP address is added to the SSL IP blacklist.

 

3) The PWS server always dumps the SSL IP blacklist when the PWS is shutdown.

 

b. The number of active ssl_accepts are limited to to restrict the number of SSL logon threads that can be executed concurrently. By default the PWS server limits to 50 concurrent SSL logon operations The PLBWEB_SSL_ACCEPT_MAX keyword can be used to set the limit from 1 to 100 concurrent SSL logons.

 

c. When an SSL IP LOCKOUT occurs and it becomes permanent on the SSL IP blacklist, an error is logged and a admin MAIL message is sent when it is configured.

Keywords:

PLBWEB_SSL_BLACKLIST_FILE={[path]+filename]
This keyword specifies the file used to pre-load and\or output the SSL blacklist IP addresses used for IP filtering. If this keyword is NOT used, the PWS server server defaults to use the file named 'plbwebsrv_ssl_blacklist.txt' when pre-loading or dumping IP filtering data.
PLBWEB_SSL_BLACKLIST_REPORT={[path]+filename]
This keyword specifies the file used to output the current SSL blacklist IP addresses along with the usage\activity count for the IP If this keyword is NOT used, the PWS server defaults to use the file named 'plbwebsrv_ssl_blacklist_report.txt'.
PLBWEB_SSL_ACCEPT_TIMEOUT={seconds}
This keyword specifies the elapsed time out given in seconds to wait when an SSL logon accept connection is being made. If this timeout occurs, the IP is either added or updated in the SSL blacklist data. The {seconds} valid range is: minimum 10 seconds and maximum of 600 seconds If this keyword is not used, the PWS server defaults to use 60 seconds.
PLBWEB_SSL_ACCEPT_MAX={acceptmax}
This keyword specifies the maximum number of concurrent SSL accept logons. If this keyword is not used, the PWS server defaults to allow 50 concurrent SSL accept logons The {acceptmax} valid range is: minimum 5 and maximum 100.
PLBWEB_SSL_LOCKOUT_MAX={lockoutmax}
This keyword specifies the maximum number of SSL IP logon accept timeout events that can occur before a specific IP address is added to the SSL blacklist. After a SSL peer IP address is added to the SSL blacklist, that SSL IP address is immediately closed upon detection until the IP address is removed from the SSL blacklist by the PWS administrator. An SSL IP address can ONLY be removed by editing the SSL blacklist data file as defined by the PLBWEB_SSL_BLACKLIST_FILE keyword or the default file being used. If this keyword is not used, the PWS server defaults to allow a maximum of 5 SSL logon accept errors. The {lockoutmax} valid range is: minimum of 1 and the maximum is unlimited.

PWS commands used for SSL blacklist are:

plbwebsrv -br (reset SSL blacklist)
plbwebsrv -bd (dump SSL blacklist)
plbwebsrv -bl (output a SSL blacklist report)

PL/B Web Server Invoking a Program from HTML REST Support