Auth0 Home Blog Docs

Removing ip block - no email sent? "We have detected... Please contact the administrator"

anomaly-detection
blocked-account

#1

I was testing the blocking functionality and got this message (this is using webauth):

“We have detected suspicious login behavior and further attempts will be blocked. Please contact the administrator.”

In the logs I see this:
“Someone behind the IP address: xx.xx.xx.xx attempted too many consecutive logins with different usernames. A shield to prevent this attack is enabled, further attempts are blocked from this IP address.”

How would I go about removing the “shield”? I am a dashboard admin and didn’t seem to get an email with the link to remove the block.


#2

The Anomaly Detection features are made of of two parts:

  1. Trigger (e.g. multiple unsuccessful logins), and
  2. Actions (e.g. block login attempts, send email notifications).

To receive email notifications, you need to ensure that this action is enabled from the Anomaly Detection settings in the dashboard:

https://manage.auth0.com/#/anomaly > Brute Force Protection > Targeting Multiple User Accounts > Email Notification

You can also unblock the IP address using the Management API endpoint:
https://auth0.com/docs/api/management/v2#!/User_Blocks/get_user_blocks


#3

I reproduced the situation and will analyze it further; I’ll get back to you whenever I have more information.


#4

Thanks for the info. Emails are enabled for the brute-force anomaly stuff - I had previously been able to get them when logging in more than 10 times and that worked fine.

This seems to be little different of a case. I like how it triggered the block (I was using all sorts of different non-valid user names). As a dashboard admin, I just need to be able to get the email that lets me unblock it, as it does not seem to be tied to a user.


#5

Thanks! I really like the brute force anomaly detection stuff.


#6