Vulnerability block more than 3600 seconds.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Vulnerability block more than 3600 seconds.

L0 Member

Hello there,

 

We have a constant brute force attempt on port 25 of our email server. We put the vulnerability profile to block these attacks and consequently block the ip for 3600 seconds, however in some cases this ip will try again immediately after the maximum blocking time. Is there any way to increase this type of attack for 1 day of blocking, or is the only solution a fixed rule to specifically block these insistent ips?


---
Rodolfo Timoteo da Silva
Security Team
IbestSec - Segurança da Informação
Support Center +55 16 3443 1866 opção 2
https://ibestsec.milldesk.com/
2 REPLIES 2

L7 Applicator

You can time-tag the source ip using a log forwarding profile built-in action.

 

Once the source is tagged, create an Address Group (Dynamic) (DAG) and set it to match the created tag.

 

You will then configure a Security Policy that will precede the current one being matched where the source is the DAG, and set the rule to Deny. The sources will remain tagged for the time lapse configured in the Log Forwarding profile built-in action, and after the time expires, they will be removed from the tag, therefore being matched again by the currently matched rule.

 

If you need instructions, I recently wrote an article on doing something similar to inhibit email alerts (retrigger timer). The article is not yet public because it is undergoing a revision process. If you need a copy please open a support case and ask for the case to be assigned to me. You can reference this post in the case.


@mivaldi wrote:

You can time-tag the source ip using a log forwarding profile built-in action.

 

Once the source is tagged, create an Address Group (Dynamic) (DAG) and set it to match the created tag.

 

You will then configure a Security Policy that will precede the current one being matched where the source is the DAG, and set the rule to Deny. The sources will remain tagged for the time lapse configured in the Log Forwarding profile built-in action, and after the time expires, they will be removed from the tag, therefore being matched again by the currently matched rule.

 

If you need instructions, I recently wrote an article on doing something similar to inhibit email alerts (retrigger timer). The article is not yet public because it is undergoing a revision process. If you need a copy please open a support case and ask for the case to be assigned to me. You can reference this post in the case.


I did everything, thanks for help.

  • 3110 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!