we authenticate through Active Directory, but our public login page is sometimes attacked by brute force attempts, so some AD accounts are locked.
It would be great if ip could be banned after some bad attempts.
Banning or some type of limit on "number of tries" would be great. Even if it was simple, just blocked the IP for an hour after X number of attacks, that would help. This type of security doesn't seem like it would be too hard to implement into the code.
As a workaround, there are two ways I've found to mitigate unwanted access attempts:
1.) Restrict the login attempts to a list of allowed IP ranges. For IPs that are not static, I've looked up the network range that the IP is in, and allowed that. So although I may have allowed everyone in a certain city or connection, it's better than allowing the entire world. You can find the network range of an IP address on sites like ipinfo.io or arin.net. The allowed list can be changed under Advanced > Web Configuration > Settings > Restrict to IP Addresses.
2.) On another server, I implemented pfSense with pfBlockerNG and blocked IPs outside of the country. Doing that reduced the number of brute force attempts by 90%. Note that doing this can be effective but also adds some layer of complexity to the environment.
Although these fixes don't solve the issue of blocking brute force attacks, it does significantly reduce the attack surface.
my server is still getting hit with unknown users from strange ip addresses:
User Name:badusername
Result:UserNameInvalid
Address:unknownIP
User Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
and the badusername is using different ip addresses.
shouldn't this be of a higher priority after what just happened? if this were in place 7 years ago would we have had this issue??
yeah, the exploit that just happened still would have been an issue
Has there been any movement on this? After adding the ability to search for failed login attempts it would be great to be able to act on them, without having to restart the service. This has been a common feature for many of the other systems we use, for years.
+1. This is very much something that would be useful.
Having something automated help immensely. otherwise people would need to have people hunting logs to find offenders to add manually or script something out in a SIEM to where if a certain event with a specific IP was registered more than X times within a specific time frame to go do this at which point could be someone accessing a firewall via CLI or something to block an IP or whatever. pain in the ass is what that'd be.
Even having some form of alerting which would allow us to have a notification go out if we received like X amount of failed attempts from a single IP within 5 minutes or something would be useful too because I do have a "Shitlist" so to speak that is maintained on our firewalls to block abusive traffic.
been getting an increasing number of attempts recently, the built in HTTP 504 IP blocking is not sufficient we need a real firewall to thwart these threats and zero-day exploits.