This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Vulnerability block more than 3600 seconds.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Vulnerability block more than 3600 seconds.

IbestSec
L0 Member

‎12-07-2020 07:12 PM

Hello there,

 

We have a constant brute force attempt on port 25 of our email server. We put the vulnerability profile to block these attacks and consequently block the ip for 3600 seconds, however in some cases this ip will try again immediately after the maximum blocking time. Is there any way to increase this type of attack for 1 day of blocking, or is the only solution a fixed rule to specifically block these insistent ips?


---
Rodolfo Timoteo da Silva
Security Team
IbestSec - Segurança da Informação
Support Center +55 16 3443 1866 opção 2
https://ibestsec.milldesk.com/
0 Likes Likes
2 REPLIES 2

mivaldi
L7 Applicator

‎12-24-2020 02:29 PM - edited ‎12-24-2020 02:31 PM

You can time-tag the source ip using a log forwarding profile built-in action.

 

Once the source is tagged, create an Address Group (Dynamic) (DAG) and set it to match the created tag.

 

You will then configure a Security Policy that will precede the current one being matched where the source is the DAG, and set the rule to Deny. The sources will remain tagged for the time lapse configured in the Log Forwarding profile built-in action, and after the time expires, they will be removed from the tag, therefore being matched again by the currently matched rule.

 

If you need instructions, I recently wrote an article on doing something similar to inhibit email alerts (retrigger timer). The article is not yet public because it is undergoing a revision process. If you need a copy please open a support case and ask for the case to be assigned to me. You can reference this post in the case.

zellahoran
L0 Member
In response to mivaldi

‎01-27-2021 07:46 PM

@mivaldi wrote:

You can time-tag the source ip using a log forwarding profile built-in action.

 

Once the source is tagged, create an Address Group (Dynamic) (DAG) and set it to match the created tag.

 

You will then configure a Security Policy that will precede the current one being matched where the source is the DAG, and set the rule to Deny. The sources will remain tagged for the time lapse configured in the Log Forwarding profile built-in action, and after the time expires, they will be removed from the tag, therefore being matched again by the currently matched rule.

 

If you need instructions, I recently wrote an article on doing something similar to inhibit email alerts (retrigger timer). The article is not yet public because it is undergoing a revision process. If you need a copy please open a support case and ask for the case to be assigned to me. You can reference this post in the case.

I did everything, thanks for help.

  • 3108 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks