Show last IPs blocked by IDS / keep an easily accessible log
Idea shared by Ionel Aurelian Rau - June 19 at 11:41 PM
Here is an idea: on the IDS Blocks menu, it would be helpful if there would also be show a list of last X no of blocked IPs. Right now, we can see that an IP is blocked and the time remaining until it will be unblocked, but cannot see any way to get a list of the IPs that were blocked in the past day for example. From our experience, we have brute force attacks that originate from multiple random IPs, but after some time they will try a previously used IP again. So if an IP was blocked at some time, it is highly likely it will try to brute force again.
We are monitoring these attacks and filter out the IPs of legitimate users (that forget their passwords and try over and over again with the wrong pass until they get blocked) and add the offenders to rule on our edge firewall, dropping any traffic from these offenders at the gate. This has reduces a lot of useless traffic to our mail server, but the problem is that we need to be constantly watching the IDS Blocks page and peruse the SMTP Logs in conjunction with the Administrative logs.
Would it be hard to have a list of last X no of blocked IPs right on that page? Maybe with also an option to download a CSV/XML/XLS/TXT file with a list of all offending IPs?

1 Reply

Reply to Thread
OK, is there any chance that in SM 16 or SM 17 we will have an exportable list of IDS blocked IPs in the past week/month/year? There are more and more brute force and harvesting attempts and they seem to cycle through the same IPs after a while. It would be very useful if we could keep track of these attempts and be able to export a list that we can use to block the IPs directly at the Firewall level if they repeatedly abuse us.

Thank you!

Reply to Thread