The default Plesk login brute force rules don't seem strict enough to me.
Unlike the situation with email brute force, where you have to allow for users doing daft things or not realising their device has the wrong password and letting it retry endlessly, brute force attacks on Plesk itself, especially using the admin username, need pretty immediate action, I think.
What I'm seeing is something in the region of 128 login attempts before either 17506 or 17507 kick in.
I don't know how quickly ossec-hids can react, but personally I'd like a shun after 30 seconds at most. So maybe 5 to 10 failures in 30 seconds.
Is there a safe way to edit the current rules? Or do I have to create a custom rule?
Plesk brute force rules
Plesk brute force rules
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Plesk brute force rules
Could you share you logs?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Plesk brute force rules
Done. #1470 in zendesk.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>