I was testing the blocking functionality and got this message (this is using webauth):
“We have detected suspicious login behavior and further attempts will be blocked. Please contact the administrator.”
In the logs I see this:
“Someone behind the IP address: xx.xx.xx.xx attempted too many consecutive logins with different usernames. A shield to prevent this attack is enabled, further attempts are blocked from this IP address.”
How would I go about removing the “shield”? I am a dashboard admin and didn’t seem to get an email with the link to remove the block.
The Anomaly Detection features are made of of two parts:
- Trigger (e.g. multiple unsuccessful logins), and
- Actions (e.g. block login attempts, send email notifications).
To receive email notifications, you need to ensure that this action is enabled from the Anomaly Detection settings in the dashboard:
https://manage.auth0.com/#/anomaly > Brute Force Protection > Targeting Multiple User Accounts > Email Notification
You can also unblock the IP address using the Management API endpoint:
1 Like
I reproduced the situation and will analyze it further; I’ll get back to you whenever I have more information.
Thanks for the info. Emails are enabled for the brute-force anomaly stuff - I had previously been able to get them when logging in more than 10 times and that worked fine.
This seems to be little different of a case. I like how it triggered the block (I was using all sorts of different non-valid user names). As a dashboard admin, I just need to be able to get the email that lets me unblock it, as it does not seem to be tied to a user.
Thanks! I really like the brute force anomaly detection stuff.