Overview

The blacklist feature is an attack prevention mechanism that filters packets based on the source IP address. Compared with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets sourced from particular IP addresses.

The device can dynamically add and remove blacklist entries by cooperating with the login user authentication feature. When the device detects that a user tried to use FTP, Telnet, SSH, SSL, or web to log in to the device for a specific number of times but failed to log in, it considers the user an invalid user and automatically blacklists the user's IP address to filter subsequent packets sourced from that IP address. This function can effectively prevent users from cracking passwords by repeatedly trying to log in.

The device always uses the login failure threshold of 6 and sets the aging time of a dynamic blacklist entry to 10 minutes. These two settings are not configurable. User login failure reasons include wrong username, wrong password, and wrong verification code (for web users).

The device also supports adding and removing blacklist entries manually. Manually configured blacklist entries fall into two categories: permanent and non-permanent. A permanent blacklist entry is always present unless being removed manually, whereas a non-permanent blacklist entry has a limited lifetime depending on your configuration. When the lifetime of a non-permanent entry expires, the device removes the entry from the blacklist, allowing the packets of the IP address defined by the entry to pass through.