#dominoforever | Product Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Fail2Ban for IBM Domino

When Domino is available over internet, SMTP or HTTP and other services may be used by hackers to bruteforce password. 


While we have internetLockout functionality, that stops hackers,  they can try access different accounts and lock users. 

This this is DOS attack, since user does not get access. 

Please think on functionality that able to Block DYnamically IP addresses from which we received N number of authorization failure attempts.

  • Guest
  • Nov 23 2018
  • Shipped
  • Attach files
  • Admin
    Thomas Hampel commented
    10 Aug, 2021 08:47pm

    This feature was shipped in Domino 12.0

    For more details see this : https://help.hcltechsw.com/domino/12.0.0/admin/wn_enforce_inet_password_lockout_based_on_ip.html

  • Guest commented
    9 Jun, 2021 09:29am

    Thomas Hampel: The Domino server does know the real the IP address, as it's already implemented in the logging feature if X-forwarded-for IP is set.

  • Guest commented
    15 Mar, 2021 12:15pm

    For this I use https://ipban.com/ which has a free and a pro version and it's amazing.

  • Guest commented
    10 Mar, 2021 01:48pm

    I think that the Security Feature is a good already implemented solution, but here's the same problem that it will block the IP address of the proxy :-)
    see https://domino-ideas.hcltechsw.com/ideas/DOMINO-I-1620

  • Guest commented
    13 Jan, 2020 08:55am

    @Thomas: so it's important to include the X-forwarded-for IP address in the logs. Have a look at my idea -> Include XForwardedFor IP address in log.nsf / domlog.nsf

  • Admin
    Thomas Hampel commented
    10 Jan, 2020 09:22pm

    Yes of course. You cant block by IP if you dont get the real IP, thats obvious.

  • Guest commented
    10 Jan, 2020 09:17pm

    There is a problem in the implementation when you have a reverse proxy involved ( does not show the proxyed IP ).  Has this been addressed?  There are workarounds but it causes delays in fail2ban responding to events.

  • Admin
  • Guest commented
    2 Sep, 2019 09:30am

    This feature is implemented by Daniel Nashed. so can be closed. Vlaad.

  • Guest commented
    6 Feb, 2019 04:51pm

    Very disappointed that IBM developers never considered the option to block IP addresses dynamically. Locking out user accounts is not a robust solution and as the original poster correctly pointed out, it ends up locking a legit user and the hacker then moves on to another account. In fact knowing that the account has been locked out further assists the hacker in learning that it actually is an active account. Often hackers attempt to use invalid accounts trying to guess one, but locking the account tips off the attacker and actually helps them build intelligence. Please build in a way to block IPs after 10, 20,30 authentication failures, this should have been thought of ages ago. IBM developers, please wake up !!