Back to Community Threads
IDS Rules
Question asked by YS Tech - 10/11/2023 at 8:31 AM
Answered
I've set up certain rules and limits on those rules.
But I had a client who keeps getting locked out, as he has a few staff that login to the same account, generally at the same time to check emails.
This triggers the "Password Brute Force by Email", or it may be that a hacker is causing this issue?
The issue I have is that I went in to check today what the rules were set to and there were 6 new rules for "Password Brute Force by Email" set. Now I'm pretty sure I only set one of those.
1) Do they actually get set up based on activity, or should there only have been my 1 that I set up?
There are also 7 "Password Retrieval Brute Force" setup (all with the same settings).
2) Surely there only needs to be one of those rules (if they are all the same)?
Thanks
Kyle Kerst Replied
10/18/2023 at 4:31 PM
Employee Post
Hello! First, the Password Brute Force by Email IDS rule is very likely being triggered by an external user attempting to guess the password for this account. To correct that I recommend adjusting the Brute Force by IP rules so they engage sooner than the by email rule, which should prevent them attempting further from the same IP. 

The IDS rule duplication you are seeing is a concern though (if I'm understanding you correctly) and I recommend you submit a ticket on this as this is something I spotted recently in one of our test environments and we have escalated a request to development to investigate further. If you can get a ticket submitted with us including further details this may aid them in their review. Thanks!
Kyle Kerst
Lead Internal Network/System Administrator
SmarterTools Inc.
YS Tech Replied
10/23/2023 at 6:48 AM
Thanks Kyle, i've adjusted the IDS rules as suggested and it seems to be ok now.
Also since removing the duplicate IDS rules, they've not returned. I will keep an eye on them.
Employee Replied
10/25/2023 at 7:24 AM
Employee Post Marked As Answer
Hey YS Tech, 

I just wanted to let you know that we were able to replicate this behavior internally. It looks like some of the IDS rules are getting duplicated after the Windows server is rebooted. We've got this sent up to development for a fix. 
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Key Feature and Version Milestones in SmarterMailSmarterMail
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
Configure URL Rewriting for Autodiscover on LinuxSmarterMail > Server Configuration and Management
Adding an Exclusion for SmarterMail's Installer When Using SentinelOneSmarterMail > Troubleshooting