Skip to content

Bad Logins Documentation

Menu Location: Reports > System & Security > Bad Logins

Access Level: Administrator / Kiva Admin

Last Updated: 2026-03-01

Overview

The Bad Logins page tracks all failed login attempts across your admin and customer portals, providing crucial security monitoring to identify potential unauthorized access attempts, brute force attacks, or compromised accounts.

Primary Functions:

  • Monitor all failed login attempts in real-time
  • Identify potential security threats and attack patterns
  • Track suspicious IP addresses attempting unauthorized access
  • Review customer login issues for support purposes
  • Generate reports on security incidents
  • Block or whitelist IP addresses based on activity

Page Layout

Header Section

  • Page Title: "Bad Logins" with total failed attempt count
  • Date Range Filter: Select time period to review
  • Search Bar: Search by IP address, username, or email
  • Export Button: Download bad login data as CSV

Main Data Table

Displays all failed login attempts with the following columns:

  • Date/Time: When the failed attempt occurred
  • IP Address: Source IP of the login attempt
  • Username/Email: The credentials used in the attempt
  • Login Type: Admin or Customer portal
  • Reason: Why the login failed (wrong password, account not found, etc.)
  • User Agent: Browser/device information
  • Actions: Options to block IP or view details

Summary Stats Panel

  • Total failed attempts in selected period
  • Unique IP addresses
  • Most targeted accounts
  • Peak attack times

Search & Filtering

Date Range Filter

Filter failed logins by time period:

  • Last 24 Hours: Most recent activity
  • Last 7 Days: Weekly security overview
  • Last 30 Days: Monthly security analysis
  • Custom Range: Specify exact date range
  • All Time: Complete login failure history

Search Options

Search across multiple fields simultaneously:

  • IP Address: Find all attempts from specific IP
  • Email/Username: Track attempts targeting specific account
  • User Agent: Filter by browser or device type

Failed Login Reason Filter

  • Wrong Password: Legitimate users with incorrect credentials
  • Account Not Found: Attempts using non-existent usernames
  • Account Locked: Attempts on temporarily locked accounts
  • Account Disabled: Attempts on deactivated accounts
  • Multiple Failures: IPs with repeated failed attempts

Actions & Operations

Review Login Attempt

Purpose: View detailed information about a specific failed login

Steps:

  1. Click on any row in the bad logins table
  2. Review detailed modal showing:
    • Full timestamp
    • Complete IP address information
    • Geographic location (if available)
    • Full user agent string
    • Password attempt (partially masked)
    • Related attempts from same IP
  3. Click "Close" to return to list

Block IP Address

Purpose: Permanently block an IP address from accessing the system

Steps:

  1. Locate the suspicious IP address in the list
  2. Click "Block IP" button in the Actions column
  3. Confirm blocking decision
  4. Add optional note explaining reason for block
  5. IP is added to permanent blacklist

Requirements:

  • Administrator access level
  • Confirmation of blocking action
  • IP not already in whitelist

Add to Whitelist

Purpose: Mark legitimate IP as safe to prevent future blocking

Steps:

  1. Identify the legitimate IP address
  2. Click "Whitelist" button in Actions column
  3. Add note explaining why IP is trusted
  4. Click "Save to Whitelist"

Use Cases:

  • Company office IP addresses
  • VPN endpoints used by staff
  • Known customer locations with password issues

Export Bad Login Data

Purpose: Download security data for analysis or reporting

Steps:

  1. Apply desired filters (date range, IP, etc.)
  2. Click "Export CSV" button
  3. Choose export options:
    • Summary (basic info)
    • Detailed (all fields)
    • Custom (select fields)
  4. Click "Download"
  5. Save CSV file to your computer

Common Use Cases

Use Case 1: Identifying Brute Force Attack

Goal: Detect and stop an ongoing brute force attack

Steps:

  1. Navigate to Bad Logins page
  2. Set Date Range to "Last 24 Hours"
  3. Sort by "IP Address" to group attempts
  4. Look for IPs with 10+ failed attempts
  5. Review the targeted usernames
  6. Click "Block IP" for attacking addresses
  7. Document the incident with notes
  8. Consider notifying targeted users if legitimate accounts

Example: IP 192.168.1.100 shows 47 failed login attempts in 2 hours targeting admin accounts "admin", "root", "administrator" - clear brute force attack pattern. Block immediately.

Tips:

  • Block IPs with 20+ rapid failed attempts
  • Look for dictionary attack patterns (common usernames)
  • Check if targeted accounts actually exist
  • Monitor for distributed attacks from multiple IPs

Use Case 2: Helping Customer with Login Issues

Goal: Diagnose why a legitimate customer can't log in

Steps:

  1. Search for customer's email address
  2. Review their recent failed login attempts
  3. Check the "Reason" column for failure cause
  4. Common issues:
    • "Wrong Password": Customer needs password reset
    • "Account Not Found": Email mismatch or account deleted
    • "Account Locked": Too many failed attempts, unlock needed
  5. Take appropriate action (send password reset, unlock account, etc.)
  6. Contact customer with solution

Example: Customer [email protected] shows 5 failed attempts with "Wrong Password" over 3 days. Send password reset link and follow up with instructions.

Use Case 3: Monthly Security Review

Goal: Conduct regular security audit of login activity

Steps:

  1. Set Date Range to "Last 30 Days"
  2. Export full detailed report
  3. Analyze in spreadsheet:
    • Total failed attempts vs. previous month
    • Most targeted accounts
    • Geographic patterns
    • Time-of-day patterns
  4. Identify trends:
    • Increasing attack frequency
    • New targeted accounts
    • Emerging threat IPs
  5. Update security measures:
    • Block problematic IPs
    • Strengthen targeted accounts
    • Adjust rate limiting if needed
  6. Document findings for security log

Tips:

  • Schedule monthly on same day each month
  • Compare month-over-month trends
  • Look for seasonal patterns
  • Share findings with team

Use Case 4: Investigating Compromised Account

Goal: Determine if account has been compromised

Steps:

  1. Search for the suspected account email
  2. Review all failed and successful logins
  3. Look for red flags:
    • Logins from unusual geographic locations
    • Multiple failed attempts followed by success
    • Different user agents than normal
    • Login times outside user's typical pattern
  4. Cross-reference with customer activity logs
  5. If compromised:
    • Lock the account immediately
    • Contact customer via verified channel
    • Force password reset
    • Review any orders/changes made

Use Case 5: Tracking Geographic Attack Patterns

Goal: Identify if attacks originate from specific regions

Steps:

  1. Set Date Range to desired period
  2. Export detailed report with IP data
  3. Use IP lookup tools to map geographic locations
  4. Identify clustering:
    • Multiple attacks from same country/region
    • Known high-risk geographic areas
    • Patterns suggesting botnet activity
  5. Consider geographic blocking if appropriate
  6. Update firewall rules if necessary

Report Data & Columns

Column Description Details
Date/Time When attempt occurred Timezone matches account settings
IP Address Source IP of attempt Clickable to view all attempts from IP
Username/Email Credentials used Partially masked for privacy
Login Type Portal type "Admin" or "Customer"
Reason Why login failed System-generated failure reason
User Agent Browser/device info Full string available in detail view
Country Geographic origin Based on IP geolocation
Attempts Count Multiple from same IP Shows clustering
Actions Available operations Block, Whitelist, View Details

Sorting & Display Options

Sort Options:

  • Date/Time (newest first - default)
  • Date/Time (oldest first)
  • IP Address (alphabetically - groups by IP)
  • Username (alphabetically)
  • Attempts (highest to lowest - shows worst offenders)

Display Options:

  • Show 25 per page (default)
  • Show 50 per page
  • Show 100 per page
  • Show All (use cautiously with large datasets)

View Modes:

  • Standard View: All columns visible
  • Compact View: Essential columns only
  • Detail View: Expandable rows with full information

Export & Download Options

Export Formats:

  • CSV (Basic): Date, IP, Username, Reason
  • CSV (Detailed): All fields including user agent, geolocation
  • CSV (Security Report): Optimized for security analysis
  • JSON: For programmatic analysis

Export Process:

  1. Apply desired filters to narrow dataset
  2. Click "Export" button
  3. Select format from dropdown
  4. Choose date range (if not already filtered)
  5. Click "Generate Export"
  6. Wait for processing (large datasets may take a minute)
  7. Download file when ready

Export Tips:

  • Filter before exporting to reduce file size
  • Use Basic format for quick reviews
  • Use Detailed format for thorough investigations
  • Schedule automated exports for regular monitoring

Troubleshooting

Issue 1: Too Many Results to Review

Symptoms: Thousands of failed login attempts making analysis difficult

Solutions:

  1. Apply date range filter to narrow timeframe
  2. Sort by IP address to group related attempts
  3. Filter by "Multiple Failures" to see repeat offenders first
  4. Use search to focus on specific accounts or IPs
  5. Export and analyze in spreadsheet with pivot tables

Common Causes:

  • Prolonged brute force attack
  • Widely distributed attack across many IPs
  • Legitimate users with forgotten passwords
  • Bot traffic not properly filtered

Issue 2: Legitimate User Appears as Bad Login

Symptoms: Customer reports login issues and appears in bad logins list

Check:

  1. Review the "Reason" field for the failure cause
  2. Verify customer's email address matches account
  3. Check if account is locked or disabled
  4. Look for case sensitivity issues in username
  5. Verify customer is using correct login portal (admin vs. customer)
  6. Check for browser/cache issues in User Agent

Solutions:

  1. Send password reset link if "Wrong Password"
  2. Unlock account if "Account Locked"
  3. Verify email if "Account Not Found"
  4. Update account status if "Account Disabled"
  5. Clear cookies/cache if persistent browser issues

Issue 3: Can't Block Attacking IP Address

Symptoms: Block IP button doesn't work or IP continues attacking

Check:

  1. Verify you have Administrator access level
  2. Check if IP is in whitelist (prevents blocking)
  3. Confirm IP address format is valid
  4. Look for IP range instead of single IP
  5. Check if using VPN/proxy that rotates IPs

Solutions:

  1. Request admin permissions if needed
  2. Remove from whitelist if mistakenly added
  3. Block entire IP range if rotating within range
  4. Implement rate limiting in addition to blocking
  5. Contact Kiva Logic for advanced firewall rules

If Problem Persists: Contact Kiva Logic support with:

  • Attacking IP address(es)
  • Timestamp of attack
  • Screenshots of bad login attempts
  • Exported data showing attack pattern

Issue 4: Export Times Out or Fails

Symptoms: Export button processing but file never downloads

Solutions:

  1. Reduce date range to smaller time period
  2. Apply more specific filters to limit results
  3. Try Basic export instead of Detailed
  4. Export in multiple smaller batches
  5. Try during off-peak hours
  6. Clear browser cache and retry
  7. Try different browser

Prevention:

  • Don't export "All Time" with no filters
  • Limit exports to 30 days or less initially
  • Filter by specific IP or account before exporting
  • IP Blacklist - Manage permanently blocked IP addresses
  • Admin Login Logs - View successful admin logins
  • Customer Login Logs - View successful customer logins
  • Security Settings - Configure login security policies
  • User Activity Logs - Track user actions after login

Typical Workflow:

  1. Bad Logins → Identify attack → IP Blacklist (block attacker)
  2. Bad Logins → Customer issue → Customer Detail (resolve login problem)
  3. Bad Logins → Export → Security Review → IP Blacklist (update blocks)

Permissions & Access

Required Access Level: Administrator

Access Level Capabilities:

  • Manager: View only, no blocking capabilities
  • Administrator: View + Export + Block IPs + Whitelist
  • Kiva Admin: All features + Advanced filtering + Database access

Restricted Features:

  • Block IP: Requires Administrator or higher
  • Whitelist IP: Requires Administrator or higher
  • Delete Records: Requires Kiva Admin only

Best Practices

Monitoring Frequency

  1. Review bad logins at least weekly
  2. Set up alerts for unusual spike in failures
  3. Monitor daily during high-risk periods
  4. Check immediately after major announcements
  5. Review before and after system changes

Security Response

  1. Block IPs with 20+ failed attempts within 1 hour
  2. Investigate IPs with 10+ attempts targeting specific accounts
  3. Whitelist known legitimate IPs proactively
  4. Document all blocking decisions with notes
  5. Review blocked IPs quarterly (unblock if no longer threat)

Customer Support

  1. Check bad logins before resetting passwords
  2. Verify failure reason before taking action
  3. Document customer login issues
  4. Follow up after resolving login problems
  5. Educate customers on password best practices

Reporting & Documentation

  1. Export monthly security reports
  2. Track trends over time
  3. Share findings with management
  4. Document significant security incidents
  5. Maintain log of blocked IPs with reasons

Things to Avoid

  • Don't block IPs without investigation
  • Don't ignore patterns of failed attempts
  • Don't delete bad login records (needed for audits)
  • Don't whitelist IPs without verification
  • Don't export sensitive data to unsecured locations

Integration Points

Firewall Integration

  • Blocked IPs sync to server firewall
  • Automatic blocking at network level after X attempts
  • Rate limiting based on bad login patterns

Email Notifications

  • Alert admins when attack detected
  • Notify users of suspicious login attempts
  • Send reports of security incidents

Customer Support System

  • Link to customer records for support cases
  • Track login issues in support tickets
  • Reference bad logins in customer communication

Quick Reference Card

Task Action/Location
View today's failed logins Date Range: "Last 24 Hours"
Find attacks from specific IP Search by IP address
Block attacking IP Actions column > "Block IP"
Help customer with login Search customer email > review Reason
Monthly security review Date Range: "Last 30 Days" > Export
Find brute force attacks Sort by IP > look for high attempt counts
Whitelist company IP Actions > "Whitelist" > add note
Export security report Apply filters > Export > Detailed CSV
Check specific account attacks Search by email/username
Review geographic patterns Export > analyze IP locations

FAQs

How long are bad login records kept?

Failed login attempts are stored for 12 months, then automatically archived. Kiva Admin can access historical archives beyond 12 months if needed for investigations.

What triggers an account lockout?

After 5 failed login attempts within 15 minutes, the account is temporarily locked for 30 minutes. This applies to both admin and customer logins.

Can I see successful logins too?

Yes, successful logins are tracked in separate logs. See "Admin Login Logs" or "Customer Login Logs" pages for successful authentication history.

What's the difference between blocking and blacklisting?

Blocking is immediate and temporary - it can be reversed. Blacklisting is permanent and typically requires Kiva Admin to remove. Use blocking for most security responses.

How do I know if I'm experiencing a brute force attack?

Look for: (1) Many failed attempts from single IP in short time, (2) Attempts using common usernames (admin, root, etc.), (3) Sequential password patterns, (4) Unusual time-of-day for your business.

Can attackers bypass bad login tracking?

Sophisticated attackers may use rotating IPs or distributed attacks. Bad login tracking catches these but may require IP range blocking or rate limiting to stop effectively.

Should I block IPs from foreign countries?

Only if your business exclusively serves specific regions. Many legitimate customers travel or use VPNs. Review patterns before implementing geographic blocking.

What if I accidentally block a legitimate user?

Navigate to IP Blacklist page, find the IP, and click "Unblock". The user can immediately attempt login again. Consider whitelisting the IP to prevent future issues.

End of Documentation

For additional help, contact your system administrator or Kiva Logic support.