Back to Community Threads
1
IDS Rules
Question asked by YS Tech - 10/11/2023 at 8:31 AM
Answered
I've set up certain rules and limits on those rules.
But I had a client who keeps getting locked out, as he has a few staff that login to the same account, generally at the same time to check emails.
This triggers the "Password Brute Force by Email", or it may be that a hacker is causing this issue?
The issue I have is that I went in to check today what the rules were set to and there were 6 new rules for "Password Brute Force by Email" set. Now I'm pretty sure I only set one of those.
1) Do they actually get set up based on activity, or should there only have been my 1 that I set up?
There are also 7 "Password Retrieval Brute Force" setup (all with the same settings).
2) Surely there only needs to be one of those rules (if they are all the same)?
Thanks

3 Replies

Reply to Thread
0
Kyle Kerst Replied
10/18/2023 at 4:31 PM
Employee Post
Hello! First, the Password Brute Force by Email IDS rule is very likely being triggered by an external user attempting to guess the password for this account. To correct that I recommend adjusting the Brute Force by IP rules so they engage sooner than the by email rule, which should prevent them attempting further from the same IP. 

The IDS rule duplication you are seeing is a concern though (if I'm understanding you correctly) and I recommend you submit a ticket on this as this is something I spotted recently in one of our test environments and we have escalated a request to development to investigate further. If you can get a ticket submitted with us including further details this may aid them in their review. Thanks!
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
0
YS Tech Replied
10/23/2023 at 6:48 AM
Thanks Kyle, i've adjusted the IDS rules as suggested and it seems to be ok now.
Also since removing the duplicate IDS rules, they've not returned. I will keep an eye on them.
1
Employee Replied
10/25/2023 at 7:24 AM
Employee Post Marked As Answer
Hey YS Tech, 

I just wanted to let you know that we were able to replicate this behavior internally. It looks like some of the IDS rules are getting duplicated after the Windows server is rebooted. We've got this sent up to development for a fix. 
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Configure URL Rewriting for Autodiscover on LinuxSmarterMail > Server Configuration and Management
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
SmarterMail Server Performance TuningSmarterMail > Server Configuration and Management