Brute Force Protection is configured in the policy settings of your Malwarebytes Nebula console. Based on these configurations, the Malwarebytes Endpoint Agent monitors failed Windows™ protocol login attempts and creates a Windows Firewall rule to temporarily block the incoming IP address.
For system requirements, see Brute Force Protection feature requirements.
IMPORTANT: Enabling this feature may enable the Windows Firewall, depending on how attacks are handled in the Trigger rule:
- Block mode: Windows Firewall is automatically enabled; attacks are blocked and reported.
- Monitor and detect mode: Windows Firewall is not enabled; attacks are only reported.
To follow the steps in this article, enable the New policies experience switch in the Policies page.
If you have the new policies experience disabled, locate these policy settings by referring to: Malwarebytes Nebula policy with new experience disabled.
Brute Force protection
To configure Brute Force Protection:
- Log in to Malwarebytes Nebula.
- In the left navigation pane, go to Settings > Policies.
- Select a policy. Then select the Brute force protection tab.
- Select the following protocols for your workstations or servers:
- Workstation and server protocols: Check mark the RDP protocol.
- Server-only protocols: Check mark the FTP, IMAP, MSSQL, POP3, or SMTP protocols.
- Change Port fields based on your endpoint environment and protocol requirements.
- Workstation and server protocols: You may specify a port to monitor. If you don't know the port number across your protected endpoints, leave this field blank. When left blank, Malwarebytes monitors the port number(s) already in use by the endpoints.
- Server-only protocols: These are defaulted to the Windows recommended port settings. Manually configure your port protocols if your server protocol settings are different from the Windows default ports.
- Create a Trigger rule based on the number of failed remote login attempts within a certain minute range across all enabled protocols. Choose to either block the IP address, or monitor and detect the event when the trigger threshold is reached.
- Optionally, check mark the Prevent private network connections from being blocked option. When enabled, endpoints within private network address ranges will not trigger Brute Force Protection due to failed login attempts. This excludes the following network ranges:
- 10.0.0.0/8 (10.0.0.0-10.255.255.255)
- 172.16.0.0/12 (172.16.0.0-172.31.255.255)
- 192.168.0.0/16 (192.168.0.0-192.168.255.255)
- 127.0.0.0/8 (127.0.0.0-127.255.255.255)
- Click Save at the top-right of your policy.
When your Brute Force Protection rule is triggered, the event is logged on your Detections page as an intrusion based on the protocol triggered. If your rule is set to block, a Windows Firewall rule is created on the endpoint and the event displays on the Active Block Rules page. For more information, see Active Block Rules in Malwarebytes Nebula.
A dashboard widget is available to view a global map of all Brute Force detections for the past 7 days and includes targeted endpoint information. For more information, see Dashboard page in Malwarebytes Nebula.
Return to the Malwarebytes Nebula platform Administrator Guide.