TippingPoint
cancel
Showing results for 
Search instead for 
Did you mean: 

X-506 - how to figure out which rule is allowing traffic in (to counter a brute force attack)

jdoebling
Occasional Contributor

X-506 - how to figure out which rule is allowing traffic in (to counter a brute force attack)

We have an X-506 security appliance.  I am getting tons of messages where one IP address is trying to gain access over and over again.  the message in my emails is:

 

<firewallname> <f/w mgmt IP> System Log Notification (error): IP address 210.56.24.226 exceeded max login attempts - could be brute force login attack

 

When I look at the logs, I see hundreds (sometime thousands) of login attempts from the same external IP address.

 

Is there any way to pinpoint the rule that is letting them in so I can modify it to prevent external IPs from trying to log in to the device?