Plesk brute force rules
Posted: Thu Mar 16, 2017 10:48 am
The default Plesk login brute force rules don't seem strict enough to me.
Unlike the situation with email brute force, where you have to allow for users doing daft things or not realising their device has the wrong password and letting it retry endlessly, brute force attacks on Plesk itself, especially using the admin username, need pretty immediate action, I think.
What I'm seeing is something in the region of 128 login attempts before either 17506 or 17507 kick in.
I don't know how quickly ossec-hids can react, but personally I'd like a shun after 30 seconds at most. So maybe 5 to 10 failures in 30 seconds.
Is there a safe way to edit the current rules? Or do I have to create a custom rule?
Unlike the situation with email brute force, where you have to allow for users doing daft things or not realising their device has the wrong password and letting it retry endlessly, brute force attacks on Plesk itself, especially using the admin username, need pretty immediate action, I think.
What I'm seeing is something in the region of 128 login attempts before either 17506 or 17507 kick in.
I don't know how quickly ossec-hids can react, but personally I'd like a shun after 30 seconds at most. So maybe 5 to 10 failures in 30 seconds.
Is there a safe way to edit the current rules? Or do I have to create a custom rule?