Question
FortiSIEM account locked due to excessive login failures
Hi Community,
Recently our FortiSIEM is flooded every 2 seconds with "System user account locked due to excessive login failures" by user SYSTEM(su). Which generates an Incident that locks out the user...
The Short Process Name is AppServer but the remarkable thing is, that the request comes from it's own IP address (=192.168.1.1):
[root@FortiSIEM logs]# tail -f /var/log/httpd/ssl_request_log | grep 192.168.1.1 192.168.1.1 - - [28/Feb/2025:15:07:17 +0100] "GET /phoenix HTTP/1.1" 301 180 "-" "-" 192.168.1.1 - - [28/Feb/2025:15:07:17 +0100] "GET /phoenix/ HTTP/1.1" 302 190 "-" "-" 192.168.1.1 - - [28/Feb/2025:15:07:17 +0100] "GET /phoenix/login.html HTTP/1.1" 200 2025 "-" "-" 192.168.1.1 - - [28/Feb/2025:15:07:18 +0100] "GET /phoenix/rest/sync/task?custId=1&agentId=1&time=1740751638&phProcessName=phMonitorSupervisor HTTP/1.1" 200 112 "-" "-" 192.168.1.1 - - [28/Feb/2025:15:07:19 +0100] "GET /phoenix HTTP/1.1" 301 180 "-" "-" 192.168.1.1 - - [28/Feb/2025:15:07:19 +0100] "GET /phoenix/ HTTP/1.1" 302 190 "-" "-" 192.168.1.1 - - [28/Feb/2025:15:07:19 +0100] "GET /phoenix/login.html HTTP/1.1" 200 2025 "-" "-" 192.168.1.1 - - [28/Feb/2025:15:07:21 +0100] "GET /phoenix HTTP/1.1" 301 180 "-" "-" 192.168.1.1 - - [28/Feb/2025:15:07:21 +0100] "GET /phoenix/ HTTP/1.1" 302 190 "-" "-" 192.168.1.1 - - [28/Feb/2025:15:07:21 +0100] "GET /phoenix/login.html HTTP/1.1" 200 2025 "-" "-"
I can't seem to find out or block the IP, for example with an .htaccess file.
Has anyone got a clue on how to solve this?