Logs and BlackListing
Idea shared by Rod Strumbel - 4/2/2018 at 8:29 AM
Bouncing back and forth between the Troubleshooting/Logs/SMTP and the Security/BlackLists table gets old really fast.  How about putting a textbox on the Logs page that allows you to enter an IP address there to either be added to the BlackList or WhiteList table directly ?  (or a range of IPs).   Would save a LOT of time on a daily basis.
Also, we are starting to see a LOT of what I call "slow dictionary attacks" where we are getting hacking attempts but they are at such a slow rate that setting the IDS triggers to those low levels would likely block a lot of legitimate IPs.  The hits we see are at most 1 a minute, and several I've seen have pushed off to only 1 attempt every 5 minutes.  Is there any sort of "slow attack" detection that could be implemented where a list of "possible" attacks could be presented and you could then YAY or NAY the items of that list (rather than having to scan for them manually as I do now) ?   If such a thing is implemented it would also be useful to be able to see the actual TRAFFIC that triggered them to appear in the list without having to return to the logs manually to look it up.
Our system isn't even rolled out into production yet and I spend easily 30 minutes a day rolling through the SMTP log to identify hacking threats that fall below the IDS thresholds ... and there are many. I blocked a full class C and 18 additional single IPs today alone.  I can't imagine the time required once I put the system live and start to see "real traffic" and have to scan those monster logs trying to locate troublemakers.

1 Reply

Reply to Thread
Excellent idea!

Reply to Thread