Custom Reports for Blocked IPs

We recently assisted a customer who was having troubling identifying the true source IP addresses of devices that were getting blocked in Passwordstate.  This can happen when Passwordstate recognizes a potential Brute Force Attack, typically if a user exceeds the stated number of failed login attempts, set under Administration->System Settings->Authentication Options->Web Authentication Options.

The key configuration, in being able to setup identifying the right IP addresses to block, is to configure the X-Forward-For Support.  This enables you to record the IP address of trusted devices, such as Load Balancers, Firewalls and Proxy Servers so that they are not seen as the originating IP address when client traffic traverses these devices.  This is configured under Administration->System Settings->Proxy & Syslog Servers->X-Forwarded-For Support,

In order for this to be effective you’ll need to configure your Load Balancers, Firewalls and Proxy Servers for X-Forward-For support.  This will differ for each vendors products and you’ll need to reference their documentation or contact them via your established support arrangements.

Setting Up A Report

Once you’ve configured the X-Forwarded-For Support in Passwordstate, and on your associated network devices, you’re ready to setup a report to correctly identify any devices IP addresses that are being blocked.  To setup a scheduled report showing these IP addresses simply navigate to Reports->Scheduled Reports and click on Add Report,

This will take you to the Add Scheduled Report Screen and report settings tab.  From here you’ll need to add a Report Name, decide if you want to CC Report To anyone else, choose the Email Report As format, select Do not send report if it produces no results (highly recommended) and select the report type as Custom Auditing Report,

Next, click on the schedule tab,

From here you’ll select a Report Frequency of One Time, select Generate report every, set the Hours to 00 and the Minutes to 05.  Now we’re ready to set the audit criteria to search for.  To do this select the auditing settings tab, 

From here you’ll select a Platform of All and Instance of Both.  Next, select Activity Type of Brute Forced Blocked IP Added and set the Query Previous Days to 0, Hours to 0 and Minutes to 5 and then click on Save Report

You’ll now be taken back to the Scheduled Reports screen and you can see the report has been created and scheduled to run every 5 minutes,

When the Scheduled Report executes, if there are IP addresses that have been blocked you’ll be emailed with the report.  If no IP addresses are blocked you won’t get a report.  You now have the details, within 5 min of them occurring, can track down what is happening on those devices and rectify the situation accordingly.

If you’d like to share your feedback please send it through to