we authenticate through Active Directory, but our public login page is sometimes attacked by brute force attempts, so some AD accounts are locked.
It would be great if ip could be banned after some bad attempts.
shouldn't this be of a higher priority after what just happened? if this were in place 7 years ago would we have had this issue??
yeah, the exploit that just happened still would have been an issue
my server is still getting hit with unknown users from strange ip addresses:
User Name:badusername
Result:UserNameInvalid
Address:unknownIP
User Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
and the badusername is using different ip addresses.
Banning or some type of limit on "number of tries" would be great. Even if it was simple, just blocked the IP for an hour after X number of attacks, that would help. This type of security doesn't seem like it would be too hard to implement into the code.
As a workaround, there are two ways I've found to mitigate unwanted access attempts:
1.) Restrict the login attempts to a list of allowed IP ranges. For IPs that are not static, I've looked up the network range that the IP is in, and allowed that. So although I may have allowed everyone in a certain city or connection, it's better than allowing the entire world. You can find the network range of an IP address on sites like ipinfo.io or arin.net. The allowed list can be changed under Advanced > Web Configuration > Settings > Restrict to IP Addresses.
2.) On another server, I implemented pfSense with pfBlockerNG and blocked IPs outside of the country. Doing that reduced the number of brute force attempts by 90%. Note that doing this can be effective but also adds some layer of complexity to the environment.
Although these fixes don't solve the issue of blocking brute force attacks, it does significantly reduce the attack surface.
+1