1
IDS Rules
Question asked by YS Tech - 10/11/2023 at 8:31 AM
Answered
I've set up certain rules and limits on those rules.
But I had a client who keeps getting locked out, as he has a few staff that login to the same account, generally at the same time to check emails.
This triggers the "Password Brute Force by Email", or it may be that a hacker is causing this issue?
The issue I have is that I went in to check today what the rules were set to and there were 6 new rules for "Password Brute Force by Email" set. Now I'm pretty sure I only set one of those.
1) Do they actually get set up based on activity, or should there only have been my 1 that I set up?
There are also 7 "Password Retrieval Brute Force" setup (all with the same settings).
2) Surely there only needs to be one of those rules (if they are all the same)?
Thanks

3 Replies

Reply to Thread
0
Kyle Kerst Replied
Employee Post
Hello! First, the Password Brute Force by Email IDS rule is very likely being triggered by an external user attempting to guess the password for this account. To correct that I recommend adjusting the Brute Force by IP rules so they engage sooner than the by email rule, which should prevent them attempting further from the same IP. 

The IDS rule duplication you are seeing is a concern though (if I'm understanding you correctly) and I recommend you submit a ticket on this as this is something I spotted recently in one of our test environments and we have escalated a request to development to investigate further. If you can get a ticket submitted with us including further details this may aid them in their review. Thanks!
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
YS Tech Replied
Thanks Kyle, i've adjusted the IDS rules as suggested and it seems to be ok now.
Also since removing the duplicate IDS rules, they've not returned. I will keep an eye on them.
1
Andrea Free Replied
Employee Post Marked As Answer
Hey YS Tech, 

I just wanted to let you know that we were able to replicate this behavior internally. It looks like some of the IDS rules are getting duplicated after the Windows server is rebooted. We've got this sent up to development for a fix. 

Andrea Free
SmarterTools Inc.
877-357-6278

www.smartertools.com

Reply to Thread