Overview
You have encountered a number of suspicious login attempts from unknown IP addresses within your Audit and Security logs. You desire a way to help alleviate these attempts and secure your server to potential password guessing attacks.
Solution
Kerio Connect can block IP addresses suspicious of password guessing attacks (by default, after three unsuccessful attempts in one minute). This feature has a number of default values that can be adjusted within the Mailserver.cfg on your Kerio Connect server.
The steps below will detail how to enable the feature with default settings, but further customization can be performed as shown within Unlocking Accounts for Locked-Out Users in Kerio Connect. This article also details the process for Unblocking accounts that were locked due to this setting being enabled.
- Go to Configuration > Security > Security Policy tab.
- Check the Block IP addresses suspicious of password guessing attacks option.
Note: IP address is blocked for individual services. If POP3 is blocked, an attacker can attempt to log in via IMAP. - You can choose a group of trustworthy IP addresses.
- To block all services, check the option Block user accounts probably targeted by password guessing to lock the affected accounts.
- Click OK.
Testing
Once enabled, users entering their password incorrectly the defined number of times (by default, after three unsuccessful attempts) will be blocked for the defined "Lockout Reset Interval" (by default, for five minutes).