[SOLVED] Find IP of Failed Login attempts to webmail

[alapierre]

It seems our system is being attacked by somebody/something trying to brute force a couple of our accounts. I'd like to find the IP of the person so I can block them, but I look at the IP in the audits.log file and it shows up as our mail servers external IP address. Here is a line

Code:

[btpool0-94] [ip=xxx.xxx.xxx.xxx;] security - cmd=Auth; account=bogus@domain.com; protocol=soap; error=authentication failed for bogus, invalid password;

Same basic thing is showing in the mailbox.log file. I'm not sure where else to look to see who is connecting. I'm hoping somebody can guide me to the proper log file. Thanks!

[phoenix]

Quote:

Originally Posted by alapierre

It seems our system is being attacked by somebody/something trying to brute force a couple of our accounts. I'd like to find the IP of the person so I can block them, but I look at the IP in the audits.log file and it shows up as our mail servers external IP address. Here is a line

Code:

[btpool0-94] [ip=xxx.xxx.xxx.xxx;] security - cmd=Auth; account=bogus@domain.com; protocol=soap; error=authentication failed for bogus, invalid password;

Same basic thing is showing in the mailbox.log file. I'm not sure where else to look to see who is connecting. I'm hoping somebody can guide me to the proper log file. Thanks!

You could use something like fail2ban or OSSEC to block unwanted hacking attempts.

[alapierre]

It looks like those operate by blocking the IP <HOST> of the computer connecting, but the problem is in the logs the IP shows up as our mail servers external IP Address, so how would it know what to block?

[alapierre]

Ok, just found out a bit more information. Those specific logs are generated whenever somebody sends an email through our server. I thought they were trying to login through the webmail, but it appears they're just trying to send mail through our server. It's really only annoying because after a certain number of attempts, that users account gets locked and I have to unlock it so they can use their mail again. Obviously I don't want to have to keep doing that, as eventually they may guess their password.

[dwill]

I tried fail2ban about a year ago, and while it seems to work well for a few days, the logs,rules, blocks, unblock lists get extremely large if you have a lot of traffic. It would eventually bog down and I'd have to manually shut it down, clean up, and start it up again. I'd love to hear from others who have success using it with between 50K to 100K incomings a day.

[phoenix]

Quote:

Originally Posted by alapierre

Ok, just found out a bit more information. Those specific logs are generated whenever somebody sends an email through our server. I thought they were trying to login through the webmail, but it appears they're just trying to send mail through our server. It's really only annoying because after a certain number of attempts, that users account gets locked and I have to unlock it so they can use their mail again. Obviously I don't want to have to keep doing that, as eventually they may guess their password.

In that case you should enforce secure passwords and you can set the "Time to lockout the account", details below from the on-line help.

Quote:

This is time in either days, hours, minutes, or seconds that the account is locked out after the user fails to log in. The account status is automatically changed to active after this time expires. When this is set to 0, the user is locked out until the correct password is entered or the administrator resets the password.

[alapierre]

Sounds good, thanks for your help.