I am curious if one could design something to work for these 1 guess 1 ip address attacks assuming these are scripts coming through TOR or a botnet and block them via your FW before they connect. It might also be interesting to classify where these guessing ip's are registered? That could help mitigate some risk by reducing the ip pool down to a known/expected country, etc. see: http://www.ipdeny.com/ipblocks/ for country ranges and associated tools. Note: geoip ranging is not 100% accurate so probably best to pull some of these cidr's from your logs to make sure you don't lock customers out if this is a method you attempt.
I have a script I posted that I use sometimes to track login attacks....https://forums.zimbra.org/viewtopic.php?f=15&t=61294#p286001. It prints the user account and then the hits/misses with web, imap, pop logins... It can also help with identification of users that are not using password managers and potentially have weak passwords as a result.
Code: Select all
% su - zimbra
Total [ 8] - 184.108.40.206 Failed [ 3] - 220.127.116.11 failed web [ 3]
Total [ 10] - 18.104.22.168
Total [ 3] - 22.214.171.124
Total [ 2] - 126.96.36.199
Total [ 2] - 188.8.131.52
So email@example.com doesn't use a password manager given the 3 failed and 5 successful login's from the same ip address. Note: ip addresses are random and not real ip's for this posting.