IBM Support

Troubleshooting which IP addresses are getting blocked by the QRadar block policy

Troubleshooting


Problem

This article shows you how to determine which IP address(es) are getting blocked.

  • When too many login attempts fail from the QRadar UI for a specific IP address, the IP address gets blocked according to the Authentication Settings set by the QRadar Admin. 
  • Blocked IP addresses commonly occur when networks are configured to have QRadar users login to the QRadar UI through a load balancer or a jump box.  If one user, coming from an IP address shared by other users, exceeds their login attempts up to the threshold defined, it blocks logins for all other users whose source IP address is the same.
Currently, to unblock any blocked IP addresses, a restart of the tomcat service is needed. See the article: QRadar: Error message "The host has been temporarily blocked due too many log in attempts. Please try again later".  The article also discusses how to adjust the Authentication Settings.

Resolving The Problem

While blocked IP addresses are stored within memory of the tomcat service and are not human readable, login attempts are logged and searchable in the /var/log/audit/audit.log file on the console machine.
Use the following grep command examples to conduct your own searches for failed and blocked login attempts. In these examples, the IP Address 192.0.2.50 is the source IP address of the user attempting to login.
Search for successful login attempts:
# grep login /var/log/httpd/ssl_access_log | grep "200 -"

Sample output:
192.0.2.50 - - [09/Apr/2020:16:23:41 -0700] "POST /console/login HTTP/1.1" 200 -
Search for failed login attempts logged to audit.log:
# grep LoginFailed /var/log/audit/audit.log

Sample output:
Apr  9 16:22:43 ::ffff:127.0.0.1 [email protected] (2663) /console/login | [Authentication] [User] [LoginFailed] Local authentication failed. UserName = Admin
Search for failed login attempts logged to /var/log/httpd/ssl_access_log that have NOT been blocked:
# grep login /var/log/httpd/ssl_access_log | grep "401 341"

Sample output:
192.0.2.50 - - [09/Apr/2020:16:26:18 -0700] "POST /console/login HTTP/1.1" 401 341
Search for failed login attempts logged to /var/log/httpd/ssl_access_log that have been blocked:
# grep login /var/log/httpd/ssl_access_log | grep "401 242"

Sample output:
192.0.2.50 - - [09/Apr/2020:16:26:23 -0700] "POST /console/login HTTP/1.1" 401 242
To immediately unblock a blocked IP address, either wait for the Login Failure Block Time value to expire, or restart the tomcat service (systemctl restart tomcat).
Note: There is currently a Request for Enhancement (RFE) to give the QRadar Admin the ability to unblock an IP address without having to restart the tomcat service - Add the ability to unblock a host when it's been blocked due to excessive logon failures. You can login to RFE community to upvote it.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000bmBzAAI","label":"QRadar-\u003EUser Management-\u003EAuthentication"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
30 June 2020

UID

ibm16208030