Mideye Shield Configuration – Automated Brute Force Protection and IP Blocking
Overview
Section titled “Overview”The Mideye Shield Configuration page controls MideyeServer’s automated threat protection system. Mideye Shield evaluates the fraud score of incoming authentication requests based on IP reputation data and can automatically block suspicious requests, send webhook notifications to external systems, and log high-risk events.
The shield operates on a threshold-based model: each action (block, webhook, log) triggers when the fraud score of an incoming request meets or exceeds its configured threshold. Lower thresholds capture more events (higher sensitivity), while higher thresholds only flag the most suspicious traffic.
Configure Mideye Shield to protect your RADIUS infrastructure from brute force attacks, credential stuffing, and other automated threats — while maintaining visibility through webhook integrations and logging.
Access & Permissions
Section titled “Access & Permissions”Required Role: ROOT, SUPER_ADMIN, or ADMIN (to modify settings)
Navigation: Home → Mideye Shield → Configuration
| Role | View Configuration | Modify Configuration |
|---|---|---|
| ROOT | ✅ | ✅ |
| SUPER_ADMIN | ✅ | ✅ |
| ADMIN | ✅ | ✅ |
| OPERATOR | ✅ | ❌ |
Features & Configuration
Section titled “Features & Configuration”Master Enable/Disable
Section titled “Master Enable/Disable”The Enabled checkbox controls the master toggle for the entire Mideye Shield system. When disabled, no fraud score evaluation, automatic blocking, webhook notifications, or shield logging occurs. All action-specific fields become disabled when the master toggle is off.
Block Response Type
Section titled “Block Response Type”The Block Response dropdown determines how MideyeServer handles blocked requests:
| Response Type | Description |
|---|---|
| REJECT_REQUEST | Send a RADIUS Access-Reject response to the NAS. The client receives an explicit denial. |
| DISCARD_REQUEST | Silently drop the request without responding. The client experiences a timeout. |
Block Action
Section titled “Block Action”Enable the Block Action Enabled checkbox to automatically block authentication requests from IP addresses with a high fraud score.
| Field | Type | Range | Default | Description |
|---|---|---|---|---|
| Block Threshold | Number | 0–100 | 70 | Fraud score at or above which requests are blocked |
| Block Expiration Hours | Number | 1–168 | 24 | Duration (hours) that an IP remains blocked |
When an IP is blocked, all subsequent authentication requests from that IP are immediately rejected (or discarded) for the configured expiration period without performing authentication. Blocked IPs are visible on the Auto-blocked IPs page.
Webhook Action
Section titled “Webhook Action”Enable the Webhook Action Enabled checkbox to send HTTP webhook notifications when high-risk authentication attempts are detected.
| Field | Type | Validation | Default | Description |
|---|---|---|---|---|
| Webhook Threshold | Number | 0–100, required | 60 | Fraud score at or above which the webhook is triggered |
| Webhook URL | URL | Valid URL, required when enabled | — | HTTP endpoint to receive webhook notifications |
| Webhook Data Template | Text | Required when enabled | {"text": "%s"} | JSON template for the webhook payload. Use %s as a placeholder for the event data. |
Webhook payload: The template is sent as the HTTP request body with the %s placeholder replaced by the event details. Configure the template to match the expected format of your receiving system (e.g., Slack, Microsoft Teams, or a custom SIEM endpoint).
Log Action
Section titled “Log Action”Enable the Log Action Enabled checkbox to write log entries for authentication attempts with elevated fraud scores.
| Field | Type | Range | Default | Description |
|---|---|---|---|---|
| Log Threshold | Number | 0–100 | 50 | Fraud score at or above which log entries are created |
Log entries are written to the MideyeServer system log and can be viewed on the Log Files page.
Static Filter Block by Default
Section titled “Static Filter Block by Default”The Block By Default setting controls the default behavior of the static filter rule engine. This setting is part of the Mideye Shield configuration but is managed on the Static Filter Rules page.
Field Reference
Section titled “Field Reference”| Field Name | Type | Required | Default | Validation | Description |
|---|---|---|---|---|---|
| enabled | Boolean | Yes | false | — | Master toggle for Mideye Shield |
| blockActionEnabled | Boolean | Yes | true | — | Enable automatic IP blocking |
| blockThreshold | Number | Yes | 70 | 0–100 | Fraud score threshold for blocking |
| blockExpirationHours | Number | Yes | 24 | 1–168 | Block duration in hours |
| blockResponse | Enum | Yes | REJECT_REQUEST | REJECT_REQUEST or DISCARD_REQUEST | How blocked requests are handled |
| webhookActionEnabled | Boolean | Yes | false | — | Enable webhook notifications |
| webhookThreshold | Number | Yes | 60 | 0–100 | Fraud score threshold for webhooks |
| webhookUrl | String | Conditional | — | Valid URL, required when webhook enabled | Webhook endpoint URL |
| webhookDataTemplate | String | Conditional | {"text": "%s"} | Required when webhook enabled | JSON template for webhook payload |
| logActionEnabled | Boolean | Yes | true | — | Enable shield logging |
| logThreshold | Number | Yes | 50 | 0–100 | Fraud score threshold for logging |
| staticFilterBlockByDefault | Boolean | Yes | false | — | Default block behavior for static filter rules |
Actions
Section titled “Actions”Save Configuration
Section titled “Save Configuration”Purpose: Persist changes to the Mideye Shield configuration. Steps:
- Modify the desired settings.
- Click the Save button.
Result: The configuration is saved and takes effect immediately. A success notification is displayed.
Common Use Cases
Section titled “Common Use Cases”Basic Protection Setup
Section titled “Basic Protection Setup”- Enable Mideye Shield (check the Enabled checkbox).
- Enable the Block Action with the default threshold of 70.
- Set the Block Expiration to 24 hours.
- Select REJECT_REQUEST as the Block Response.
- Enable the Log Action with a threshold of 50 for visibility.
- Click Save.
Integration with SIEM or Alerting Systems
Section titled “Integration with SIEM or Alerting Systems”- Enable the Webhook Action.
- Set the Webhook Threshold to the desired sensitivity level.
- Enter the webhook endpoint URL (e.g., a Slack incoming webhook or SIEM collector).
- Configure the Webhook Data Template to match the expected payload format.
- Click Save and test by monitoring webhook deliveries.
Air-Gapped Environments
Section titled “Air-Gapped Environments”When MideyeServer operates in air-gapped mode (no internet access), Mideye Shield’s IP reputation scoring is unavailable because it requires external API connectivity. In this mode:
- The Auto-blocked IPs page is disabled.
- Static filter rules continue to function independently.
- Consider relying on static filter rules for protection in air-gapped deployments.
Troubleshooting
Section titled “Troubleshooting”| Issue | Possible Cause | Resolution |
|---|---|---|
| Shield not blocking any IPs | Shield not enabled | Verify the Enabled checkbox is checked |
| Shield not blocking any IPs | Block threshold too high | Lower the block threshold value |
| Webhook not firing | Webhook URL unreachable | Verify network connectivity from MideyeServer to the webhook endpoint |
| Webhook not firing | Webhook threshold too high | Lower the webhook threshold |
| Threshold fields disabled | Parent action checkbox unchecked | Enable the corresponding action checkbox |
| All fields disabled | Master toggle disabled | Check the Enabled checkbox |
| Save button shows error | Validation failure | Check that all required fields have valid values within the allowed ranges |
Related Pages
Section titled “Related Pages”- Auto-blocked IPs — View and manage IP addresses automatically blocked by Mideye Shield
- Static Filter Rules — Create manual rules to block or allow specific usernames and IP addresses
- Blocked Attempts — View authentication attempts blocked by Mideye Shield or static rules
- Authentication Logs — Review fraud scores in authentication event details