Using Syspeace for a targeted bruteforce attack against a specific username

Today we had an interesting support question.

Someone is trying to brute force a customer using the same account name but from a lot of different IP addresses and they only try once or twice from each IP address thus not triggering Syspeace to block the IP address based on the default rule.

The suggestion we eventually came up with is to create a rule based on the user name and set the allowed attempts to only 1 failed attempt. therefore making Syspeace block the IP address immediately.

In this scenario though, one must also keep in mind that legitimate users will get blocked out instantly after one failed try so there might be a good reason to whitelist the IP addresses that this user usually logs in from.

Furthermore, the reason for this specific and targeted user attack should be investigated more closely and handed over to the proper authorities for investigation.