HCL Domino Ideas Portal
Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
This feature was shipped in Domino 12.0
For more details see this : https://help.hcltechsw.com/domino/12.0.0/admin/wn_enforce_inet_password_lockout_based_on_ip.html
Thomas Hampel: The Domino server does know the real the IP address, as it's already implemented in the logging feature if X-forwarded-for IP is set.
For this I use https://ipban.com/ which has a free and a pro version and it's amazing.
I think that the Security Feature is a good already implemented solution, but here's the same problem that it will block the IP address of the proxy :-)
see https://domino-ideas.hcltechsw.com/ideas/DOMINO-I-1620
@Thomas: so it's important to include the X-forwarded-for IP address in the logs. Have a look at my idea -> Include XForwardedFor IP address in log.nsf / domlog.nsf
Yes of course. You cant block by IP if you dont get the real IP, thats obvious.
There is a problem in the implementation when you have a reverse proxy involved ( does not show the proxyed IP ). Has this been addressed? There are workarounds but it causes delays in fail2ban responding to events.
http://blog.nashcom.de/nashcomblog.nsf/dx/fail2ban-support-for-domino-intrusion-detection.htm
https://blog.mmi-consult.de/faq/dx/ipban-konfiguration-mit-domino-unter-windows-intrusion-detection.htm
This feature is implemented by Daniel Nashed. so can be closed. Vlaad.
Very disappointed that IBM developers never considered the option to block IP addresses dynamically. Locking out user accounts is not a robust solution and as the original poster correctly pointed out, it ends up locking a legit user and the hacker then moves on to another account. In fact knowing that the account has been locked out further assists the hacker in learning that it actually is an active account. Often hackers attempt to use invalid accounts trying to guess one, but locking the account tips off the attacker and actually helps them build intelligence. Please build in a way to block IPs after 10, 20,30 authentication failures, this should have been thought of ages ago. IBM developers, please wake up !!