Back to Community Threads
2
Build 6948 IDS (Brute Force By Protocol) Not functional without Denial Of Service Rule
Problem reported by Jade D - 1/15/2019 at 5:47 AM
Not A Problem
Build 6948 seems to be subject to major flaw with the IDS rules.
During my tests I was not able successfully get an IP address added to the IDS block as a Brute Force By Protocol Failure violation - all blocks were a result of a Denial Of Service Violation.

Removing or increasing the Denial of Service threshold values above the Brute Force By Protocol thresholds results in a system open to brute force.

When Brute Force By Protocol & Denial of Service exist with the same values, its only possible to get the offending IP added to the Denial of Service block list - which indicates that Denial of Service takes precedence over Brute Force By Protocol

The logs below show 11 failed login attempts via POP 3 where an IDS rule exists that is configured to block the offending IP for 60 minutes after 2 failed login attempts within a 5 minute period

[2019.01.15] 14:24:32.892 [REDACTED][25486715] connected at 1/15/2019 2:24:32 PM
[2019.01.15] 14:24:32.892 [REDACTED][25486715] CAPA
[2019.01.15] 14:24:32.892 [REDACTED][25486715] USER REDACTED
[2019.01.15] 14:24:32.892 [REDACTED][25486715] PASS XXXX
[2019.01.15] 14:24:32.892 [REDACTED][25486715] -ERR UserName or Password is incorrect
[2019.01.15] 14:24:32.892 [REDACTED][25486715]  login failed
[2019.01.15] 14:24:32.892 [REDACTED][25486715] disconnected at 1/15/2019 2:24:32 PM
[2019.01.15] 14:24:33.888 [REDACTED][40469593] connected at 1/15/2019 2:24:33 PM
[2019.01.15] 14:24:33.888 [REDACTED][40469593] CAPA
[2019.01.15] 14:24:33.888 [REDACTED][40469593] USER REDACTED
[2019.01.15] 14:24:33.888 [REDACTED][40469593] PASS XXXX
[2019.01.15] 14:24:33.888 [REDACTED][40469593] -ERR UserName or Password is incorrect
[2019.01.15] 14:24:33.888 [REDACTED][40469593]  login failed
[2019.01.15] 14:24:33.888 [REDACTED][40469593] disconnected at 1/15/2019 2:24:33 PM
[2019.01.15] 14:25:14.887 [REDACTED][50614836] connected at 1/15/2019 2:25:14 PM
[2019.01.15] 14:25:14.887 [REDACTED][50614836] CAPA
[2019.01.15] 14:25:14.887 [REDACTED][50614836] USER REDACTED
[2019.01.15] 14:25:14.887 [REDACTED][50614836] PASS XXXX
[2019.01.15] 14:25:14.887 [REDACTED][50614836] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:14.887 [REDACTED][50614836]  login failed
[2019.01.15] 14:25:14.887 [REDACTED][50614836] disconnected at 1/15/2019 2:25:14 PM
[2019.01.15] 14:25:15.895 [REDACTED][36745369] connected at 1/15/2019 2:25:15 PM
[2019.01.15] 14:25:15.895 [REDACTED][36745369] CAPA
[2019.01.15] 14:25:15.895 [REDACTED][36745369] USER REDACTED
[2019.01.15] 14:25:15.895 [REDACTED][36745369] PASS XXXX
[2019.01.15] 14:25:15.895 [REDACTED][36745369] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:15.895 [REDACTED][36745369]  login failed
[2019.01.15] 14:25:15.895 [REDACTED][36745369] disconnected at 1/15/2019 2:25:15 PM
[2019.01.15] 14:25:28.894 [REDACTED][4685816] connected at 1/15/2019 2:25:28 PM
[2019.01.15] 14:25:28.894 [REDACTED][4685816] CAPA
[2019.01.15] 14:25:28.894 [REDACTED][4685816] USER REDACTED
[2019.01.15] 14:25:28.894 [REDACTED][4685816] PASS XXXX
[2019.01.15] 14:25:28.894 [REDACTED][4685816] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:28.894 [REDACTED][4685816]  login failed
[2019.01.15] 14:25:28.894 [REDACTED][4685816] disconnected at 1/15/2019 2:25:28 PM
[2019.01.15] 14:25:29.890 [REDACTED][13474264] connected at 1/15/2019 2:25:29 PM
[2019.01.15] 14:25:29.890 [REDACTED][13474264] CAPA
[2019.01.15] 14:25:29.890 [REDACTED][13474264] USER REDACTED
[2019.01.15] 14:25:29.890 [REDACTED][13474264] PASS XXXX
[2019.01.15] 14:25:29.890 [REDACTED][13474264] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:29.890 [REDACTED][13474264]  login failed
[2019.01.15] 14:25:29.890 [REDACTED][13474264] disconnected at 1/15/2019 2:25:29 PM
[2019.01.15] 14:25:30.894 [REDACTED][63607995] connected at 1/15/2019 2:25:30 PM
[2019.01.15] 14:25:30.894 [REDACTED][63607995] CAPA
[2019.01.15] 14:25:30.894 [REDACTED][63607995] USER REDACTED
[2019.01.15] 14:25:30.894 [REDACTED][63607995] PASS XXXX
[2019.01.15] 14:25:30.894 [REDACTED][63607995] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:30.894 [REDACTED][63607995]  login failed
[2019.01.15] 14:25:30.894 [REDACTED][63607995] disconnected at 1/15/2019 2:25:30 PM
[2019.01.15] 14:25:53.883 [REDACTED][21439574] connected at 1/15/2019 2:25:53 PM
[2019.01.15] 14:25:53.883 [REDACTED][21439574] CAPA
[2019.01.15] 14:25:53.899 [REDACTED][21439574] USER REDACTED
[2019.01.15] 14:25:53.899 [REDACTED][21439574] PASS XXXX
[2019.01.15] 14:25:53.899 [REDACTED][21439574] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:53.899 [REDACTED][21439574]  login failed
[2019.01.15] 14:25:53.899 [REDACTED][21439574] disconnected at 1/15/2019 2:25:53 PM
[2019.01.15] 14:25:54.890 [REDACTED][24191953] connected at 1/15/2019 2:25:54 PM
[2019.01.15] 14:25:54.890 [REDACTED][24191953] CAPA
[2019.01.15] 14:25:54.890 [REDACTED][24191953] USER REDACTED
[2019.01.15] 14:25:54.890 [REDACTED][24191953] PASS XXXX
[2019.01.15] 14:25:54.890 [REDACTED][24191953] -ERR UserName or Password is incorrect
[2019.01.15] 14:25:54.890 [REDACTED][24191953]  login failed
[2019.01.15] 14:25:54.890 [REDACTED][24191953] disconnected at 1/15/2019 2:25:54 PM
[2019.01.15] 14:26:12.894 [REDACTED][6658339] connected at 1/15/2019 2:26:12 PM
[2019.01.15] 14:26:12.894 [REDACTED][6658339] CAPA
[2019.01.15] 14:26:12.894 [REDACTED][6658339] USER REDACTED
[2019.01.15] 14:26:12.894 [REDACTED][6658339] PASS XXXX
[2019.01.15] 14:26:12.894 [REDACTED][6658339] -ERR UserName or Password is incorrect
[2019.01.15] 14:26:12.894 [REDACTED][6658339]  login failed
[2019.01.15] 14:26:12.894 [REDACTED][6658339] disconnected at 1/15/2019 2:26:12 PM
[2019.01.15] 14:26:13.896 [REDACTED][37675339] connected at 1/15/2019 2:26:13 PM
[2019.01.15] 14:26:13.896 [REDACTED][37675339] CAPA
[2019.01.15] 14:26:13.896 [REDACTED][37675339] USER REDACTED
[2019.01.15] 14:26:13.896 [REDACTED][37675339] PASS XXXX
[2019.01.15] 14:26:13.896 [REDACTED][37675339] -ERR UserName or Password is incorrect
[2019.01.15] 14:26:13.896 [REDACTED][37675339]  login failed
[2019.01.15] 14:26:13.896 [REDACTED][37675339] disconnected at 1/15/2019 2:26:13 PM
[2019.01.15] 14:26:27.894 [REDACTED][56978075] connected at 1/15/2019 2:26:27 PM
[2019.01.15] 14:26:27.894 [REDACTED][56978075] CAPA
[2019.01.15] 14:26:27.894 [REDACTED][56978075] USER REDACTED
[2019.01.15] 14:26:27.894 [REDACTED][56978075] PASS XXXX
[2019.01.15] 14:26:27.894 [REDACTED][56978075] -ERR UserName or Password is incorrect
[2019.01.15] 14:26:27.894 [REDACTED][56978075]  login failed
[2019.01.15] 14:26:27.894 [REDACTED][56978075] disconnected at 1/15/2019 2:26:27 PM
[2019.01.15] 14:26:28.890 [REDACTED][18789829] connected at 1/15/2019 2:26:28 PM
[2019.01.15] 14:26:28.890 [REDACTED][18789829] CAPA
[2019.01.15] 14:26:28.890 [REDACTED][18789829] USER REDACTED
[2019.01.15] 14:26:28.890 [REDACTED][18789829] PASS XXXX
[2019.01.15] 14:26:28.890 [REDACTED][18789829] -ERR UserName or Password is incorrect
[2019.01.15] 14:26:28.890 [REDACTED][18789829]  login failed
[2019.01.15] 14:26:28.890 [REDACTED][18789829] disconnected at 1/15/2019 2:26:28 PM
[2019.01.15] 14:26:47.885 [REDACTED][32197522] connected at 1/15/2019 2:26:47 PM
[2019.01.15] 14:26:47.885 [REDACTED][32197522] CAPA
[2019.01.15] 14:26:47.885 [REDACTED][32197522] USER REDACTED
[2019.01.15] 14:26:47.885 [REDACTED][32197522] PASS XXXX
[2019.01.15] 14:26:47.885 [REDACTED][32197522] -ERR UserName or Password is incorrect
[2019.01.15] 14:26:47.901 [REDACTED][32197522]  login failed
[2019.01.15] 14:26:47.901 [REDACTED][32197522] disconnected at 1/15/2019 2:26:47 PM
[2019.01.15] 14:26:48.881 [REDACTED][11959282] connected at 1/15/2019 2:26:48 PM
[2019.01.15] 14:26:48.897 [REDACTED][11959282] CAPA
[2019.01.15] 14:26:48.897 [REDACTED][11959282] USER REDACTED
[2019.01.15] 14:26:48.897 [REDACTED][11959282] PASS XXXX
[2019.01.15] 14:26:48.897 [REDACTED][11959282] -ERR UserName or Password is incorrect
[2019.01.15] 14:26:48.897 [REDACTED][11959282]  login failed
[2019.01.15] 14:26:48.897 [REDACTED][11959282] disconnected at 1/15/2019 2:26:48 PM

After creating the corresponding Brute Force By Protocol & Denial of Service rules the offending IP is added to the IDS block for triggering the Denial of Service rule

[2019.01.15] 14:41:05.893 [REDACTED][5249868] connected at 1/15/2019 2:41:05 PM
[2019.01.15] 14:41:05.893 [REDACTED][5249868] CAPA
[2019.01.15] 14:41:05.893 [REDACTED][5249868] USER REDACTED
[2019.01.15] 14:41:05.893 [REDACTED][5249868] PASS XXXX
[2019.01.15] 14:41:05.893 [REDACTED][5249868] -ERR UserName or Password is incorrect
[2019.01.15] 14:41:05.893 [REDACTED][5249868]  login failed
[2019.01.15] 14:41:05.893 [REDACTED][5249868] disconnected at 1/15/2019 2:41:05 PM
[2019.01.15] 14:41:06.894 [REDACTED][44381200] connected at 1/15/2019 2:41:06 PM
[2019.01.15] 14:41:06.894 [REDACTED][44381200] "421 Server is busy, try again later." response returned.
[2019.01.15] 14:41:06.894 [REDACTED][44381200] IP is blacklisted
[2019.01.15] 14:41:06.894 [REDACTED][44381200] disconnected at 1/15/2019 2:41:06 PM
Jade

3 Replies

Reply to Thread
0
Jade D Replied
1/16/2019 at 4:53 AM
Just checking to see if any of the developers have taken a look at this issue or if I need to log a ticket for this?
Jade https://absolutehosting.co.za
0
Employee Replied
1/16/2019 at 7:24 AM
Employee Post
Hi,
While testing this were you using a different email/password combination each time? Only unique combinations count towards brute force. The idea behind this is that it's fruitless to try and brute force an account by using the same email/password combination each time, if it failed once, it will continue failing. It also helps prevent users using clients from getting locked out when their client's email/password combination is accidentally wrong.
0
Jade D Replied
1/16/2019 at 9:36 AM
Hi Alex,

Resolved as per previous thread, thanks again for your support.
Jade https://absolutehosting.co.za
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Syncing with SmarterMailSmarterMail > Desktop and Mobile Synchronization
Configure eM Client for MAPI & EWSSmarterMail > Desktop and Mobile Synchronization
Autodiscover and OutlookSmarterMail > Desktop and Mobile Synchronization
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting