This is a good thread as there isn't much guidance on IDS blocks. Here is what we are doing with 8,000 users:
Password Brute Force (All Services)
50 failures in 10 minutes and we kill for 30 days
Bad SMTP Sessions (SMTP)
100 bad sessions in 10 minutes and we kill for 30 days
Denial of Service (All Services)
1000 connections in 10 minutes and we kill for 24 hours
Internal Spammer
1000 messages in 10 minutes and we notify ourselves only
Any suggestions for improvement? Too strong or too lenient? We have been running this for one year and never had a user complain that they were locked out. Feedback is always appreciated.
Thanks!
Ron