Today we had an interesting support question actually.
Someone is trying to bruteforce a customer using the same account name but from a lot of different IP addresses and they only try once or twice from each IP address thus not triggering Syspeace to block the IP address based on the default rule.
The suggestion that we eventually came up with is to create a rule based on the user name and set the allowed attempts to only 1 failed attempt. therefore making Syspeace block the IP address immediately.
In this scenario though, one must also keep in mind though that legitimate user will get blocked out instantly after one failed try so there might be a good reason to white list the IP addresses that this user usually logs in from.
Furthermore, the reason for this specific and targeted user attack should be inestigated more closely and also be handed over to the proper authorities for investigation.