I am curious if one could design something to work for these 1 guess 1 ip address attacks assuming these are scripts coming through TOR or a botnet and block them via your FW before they connect. It might also be interesting to classify where these guessing ip's are registered? That could help mitigate some risk by reducing the ip pool down to a known/expected country, etc. see: http://www.ipdeny.com/ipblocks/ for country ranges and associated tools. Note: geoip ranging is not 100% accurate so probably best to pull some of these cidr's from your logs to make sure you don't lock customers out if this is a method you attempt.
I have a script I posted that I use sometimes to track login attacks....viewtopic.php?f=15&t=61294#p286001. It prints the user account and then the hits/misses with web, imap, pop logins... It can also help with identification of users that are not using password managers and potentially have weak passwords as a result.
Code: Select all
% su - zimbra
% check_login.pl
compliance@example.com
Total [ 8] - 69.5.8.6 Failed [ 3] - 69.5.8.6 failed web [ 3]
a.user@example.com
Total [ 10] - 72.55.77.6
Total [ 3] - 7.215.121.202
Total [ 2] - 17.17.127.190
Total [ 2] - 17.17.122.30