We have a constant brute force attempt on port 25 of our email server. We put the vulnerability profile to block these attacks and consequently block the ip for 3600 seconds, however in some cases this ip will try again immediately after the maximum blocking time. Is there any way to increase this type of attack for 1 day of blocking, or is the only solution a fixed rule to specifically block these insistent ips?
You can time-tag the source ip using a log forwarding profile built-in action.
Once the source is tagged, create an Address Group (Dynamic) (DAG) and set it to match the created tag.
You will then configure a Security Policy that will precede the current one being matched where the source is the DAG, and set the rule to Deny. The sources will remain tagged for the time lapse configured in the Log Forwarding profile built-in action, and after the time expires, they will be removed from the tag, therefore being matched again by the currently matched rule.
If you need instructions, I recently wrote an article on doing something similar to inhibit email alerts (retrigger timer). The article is not yet public because it is undergoing a revision process. If you need a copy please open a support case and ask for the case to be assigned to me. You can reference this post in the case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!