422
Configuring blacklist
Overview
The blacklist feature is an attack prevention mechanism that filters packets based on the source IP address.
Compared with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering
packets sourced from particular IP addresses.
The device can dynamically add and remove blacklist entries by cooperating with the login user
authentication feature. When the device detects that a user tried to use FTP, Telnet, SSH, SSL, or web to
log in to the device for a specific number of times but failed to log in, it considers the user an invalid user
and automatically blacklists the user's IP address to filter subsequent packets sourced from that IP address.
This function can effectively prevent users from cracking passwords by repeatedly trying to log in.
The device always uses the login failure threshold of 6 and sets the aging time of a dynamic blacklist
entry to 10 minutes. These two settings are not configurable. User login failure reasons include wrong
username, wrong password, and wrong verification code (for web users).
The device also supports adding and removing blacklist entries manually. Manually configured blacklist
entries fall into two categories: permanent and non-permanent. A permanent blacklist entry is always
present unless being removed manually, whereas a non-permanent blacklist entry has a limited lifetime
depending on your configuration. When the lifetime of a non-permanent entry expires, the device
removes the entry from the blacklist, allowing the packets of the IP address defined by the entry to pass
through.
Configuring the blacklist feature
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable the blacklist
feature.
blacklist enable Disabled by default.
3. Add a blacklist entry.
blacklist ip source-ip-address
[ timeout minutes ]
Optional.
To add a permanent entry, do not specify
the timeout minutes option.
Displaying and maintaining the blacklist
Task Command Remarks
Display blacklist information.
display blacklist { all | ip source-ip-address [ slot
slot-number ] | slot slot-number } [ | { begin | exclude
| include } regular-expression ]
Available in any view
To Next Page
Loading...
Need help?
General