What is a username to the “Immediately block the IP” feature?

  • Re “Immediately block the IP of users who try to sign in as these usernames,” it seems to work when the username is just a normal username (e.g. “john”), but doesn’t seem to work when it’s in email form (e.g. [email protected]).

    I say this because I see successive failed login attempts (up to our login limit minus 1), using the same IP, and in the exact email-form username we have specified (including case).

    The help page says “You can add usernames that are frequently used in brute force attempts such as ‘admin’ or your domain name without the top domain,” but I’m not clear on what that last part means (top domain?). Maybe it’s an explanation for what I’m asking.

    I’m seeing this in 7.3.16, but I only recently added a username in that form. In other words, I have no idea if this ever worked.

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hey @bjf2000,

    The top domain refers to .com, .net, etc. It’s common for attackers to use the site’s name in a brute force attack. You can block them by entering the site name as username without the .com, .net, etc.

    Can you try blocking the username without the top domain like the example below?

    john@ourdomain

    Please give this a try and let me know if it helps.

    Thanks,

    Gerroald

    • This reply was modified 5 years, 3 months ago by WFGerroald.
    Thread Starter bjf2000

    (@bjf2000)

    Got it.

    OK, so I did that, removing what I had in this example form:

    [email protected]

    And replacing it with the same thing minus the top domain.

    Then I waited some hours for the next login attempt by [email protected] — but it was the same as before. That is, the Login Attempts section of the Firewall page shows four successive attempts (on the same IP) for [email protected], after which the “locked out” email is sent.

    So, it would appear that the “immediately block” feature doesn’t work in this scenario. If there’s anything else you want me to try, just let me know. Thanks.

    Thread Starter bjf2000

    (@bjf2000)

    Wild theory: Because it’s .ca?

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘What is a username to the “Immediately block the IP” feature?’ is closed to new replies.