IDS - Brute Force by Email rule - Does it block the IP Address or the email address ?

Problem reported by Curtis Kropar www.HawaiianHope.org - Today at 1:51 PM

Submitted

In the Security IDS rule of "Brute Force by Email" We have like 50 different IP addresses repeatedly trying to log in as the same user. Each one failing. But in the IDS Blocks, It looks like it is now blocking the USER from logging in, and not blocking all of the IP Addresses that attempted the login.

Is this accurate that our user is now prevented from logging in from anywhere ?

If so, That is NOT want we would be expecting. The user should still be able to log in, but I want all of those IP Addresses blocked.

www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !

2 Replies

Reply to Thread

John Quest Replied

Today at 3:02 PM

Sounds like what you want is the IDS rule "Password Brute Force by IP" not by email.

Curtis Kropar www.HawaiianHope.org Replied

Today at 4:07 PM

I have that one set up too, but it does not get triggered because they only try it like 2 or 3 times from an IP address, and then move to a new IP Address. but yea, its constantly being targeted by a bunch of IP addresses. Just today so far there are 83 attempts by 23 different IP addresses, attacking a single user account

What would be great if there was a way to say "this account normally logs in from the following 3(#) IP addresses, everything else is suspect."

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text