Hit ENTER after each Tag to add it to your post; Numbers in parentheses represent the Tag's usage.
Recently we had some issues with a barrage of hacking attempts against our server, and in response we tightened up our IDS Block settings, which is now capturing many false-positives from local customers who operate from a single building with multiple devices.
What would be great is if we could right-click on a captured IP to see the list of infractions that lead to being blocked. Sure, I can see that there's an IMAP DoS, but, were those IMAP sessions successful, and simply multiple people in one office all checking their email at the same time? I mean, 30 employees in one building (one IP) with both desktop and smartphones each could easily accidentally sync their email-checking times and trigger something. If I could see that this particular episode was real, I could tweak my settings. I would also know if this was just one frantic client and I could call them and fix their issue.
Looking at the two IDS Block records, below, it appears this IP number tripped the "IMAP Password Brute Force by Protocol" a half-hour ago, and 23 minutes later it tripped the IMAP DoS. Probably someone was checking checking checking their email because their password was incorrect and no new email was coming in. Of course, I'm just guessing at this behavior.
In any event, clearly SM is keeping track of stuff, and potentially could grab that grep or whatever triggered the block and paste it into a variable we could scrutinize. Right-click "View Log."
Until then, we're kind of flying blind, or are subject to dropping to the server and searching through logs.
| 18.104.22.168 || 23:53:10 || United States || IMAP || Denial of Service (DoS) || Default IMAP DoS |
| 22.214.171.124 || 23:30:02 || United States || IMAP || Password Brute Force by Protocol || Default IMAP brute force |
Mik MullerMontague WebWorks