Troubleshooting
Problem
While interfacing with your IBM QRadar SOAR system, or an integration that is tied to your IBM QRadar SOAR system with user credentials, you might encounter behavior that prevents users from logging in.
Symptom
Symptoms of these problems include log messages such as:
08:53:35.231 [http-bio-8443-exec-1] ERROR com.co3.userauth.UserAuthentication - Failed login attempt for user: baduser@example.com, user is banned
Although this message references the particular user that attempted login, the user themselves is not banned, it is the IP address from which they are attempting to log in from which is banned.
If you have a group of users working behind a single IP address such as a proxy, which hides their individual IP address, all users behind that proxy are stopped from using IBM QRadar SOAR.
The same behavior is seen with App Host when a single application is configured incorrectly causing all applications on the App Host from connecting
API keys and their secrets can also cause the IP address of where they are running from being banned.
Cause
- The first time a failed login occurs, a Pending ban is created in server memory. No ban is imposed.
- When the failure count threshold (default; 100 attempts in an hour) is exceeded, an Active ban is created and the IP is locked out for a fixed time being one hour.
- An entry is created in the postgres 'ipban' table showing the ban begin and end times and the 'ipban_repeat' column value is set to 1.
- If login failures continue within the ban period, each time the failure threshold is exceeded the active ban is renewed, the failure count is reset to zero, the end time is extended by the fixed time, the 'ipban_repeat' count is incremented, and a new record is written to the 'ipban' table.
- If the max repetition count (for example, 5) is exceeded, the Active ban is promoted to a Permanent ban.
- On promotion to Permanent status, a new entry is written to the 'ipban' table with no time limit. Logins from this IP are blocked forever until the entry is removed from the table and the server is restarted.
- If an Active ban expires without the failure threshold being exceeded, the ban is demoted to Closed state, and the 'ipban_enabled' column value is set to false. Logins from the IP are unblocked.
- After the ban is closed, further login failures from this IP cause the previous behavior to repeat. However, the 'ipban_repeat' value from the Closed ban is copied to the new Active ban. In other words, past behavior counts against the eventual imposition of a Permanent ban, even if the old bans were closed.
Diagnosing The Problem
In order to address this issue, you need to ensure that the affected users, or API keys are using appropriate credentials.
If an automated integration user is causing a ban, you need to stop the integration before adjusting credentials.
Resolving The Problem
V43 and later
In v43, we introduced the functionality to remove an IP ban from the UI from System Settings - Blocked IPs. More information is available at https://www.ibm.com/docs/en/sqsp - choose version - Systems Administrator - Systems Settings - Blocked IPs.
You must have the required permissions to see System Settings and the tabs underneath. If you do not see this tab, then do the following.
- Request someone who already has access to System Settings to add you to System Permissions and enable the "Manage Blocked IPs" permission. More information is available at https://www.ibm.com/docs/en/sqsp - choose version - Systems Administrator - Systems Settings - System permissions.
- Give you permission by running sudo resutil newuser -email "<user_account>" -org "<org_name>" -sysadmin. More information is available at https://www.ibm.com/docs/en/sqsp - choose version - Systems Administrator - Systems Settings.
- Log back into IBM QRadar SOAR and go to Systems Settings - Systems Permissions and check the permission for "Manage Blocked IPs"
- The tab "Blocked IPs" will be visible to you after a page refresh
You can now remove the IP ban from the UI without a restart being required.
V42 and older
To remove an IP ban on older versions of IBM QRadar SOAR before v43, you need to run SQL commands from the cli and restart the application.
To view the entries in your IP Ban database table
sudo -u postgres psql co3 -c "select * from monapp.ipban;"
Remove all entries from the database table
sudo -u postgres psql co3 -c "delete from monapp.ipban;"
How to remove specific rows from the database table
sudo -u postgres psql co3 -c "delete from monapp.ipban where ipban_id = N;"
Running commands against the database to delete entries from the table require a restart of IBM QRadar SOAR.
sudo systemctl restart resilient
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z000000cvfWAAQ","label":"Authentication"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z000000cvfWAAQ","label":"Authentication"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z000000cvfWAAQ","label":"Authentication"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
05 January 2024
UID
ibm16365873