Results 1 to 7 of 7

Thread: [SOLVED] Find IP of Failed Login attempts to webmail

  1. #1
    alapierre is offline Active Member
    Join Date
    Oct 2009
    Posts
    29
    Rep Power
    5

    Default [SOLVED] Find IP of Failed Login attempts to webmail

    It seems our system is being attacked by somebody/something trying to brute force a couple of our accounts. I'd like to find the IP of the person so I can block them, but I look at the IP in the audits.log file and it shows up as our mail servers external IP address. Here is a line

    Code:
    [btpool0-94] [ip=xxx.xxx.xxx.xxx;] security - cmd=Auth; account=bogus@domain.com; protocol=soap; error=authentication failed for bogus, invalid password;
    Same basic thing is showing in the mailbox.log file. I'm not sure where else to look to see who is connecting. I'm hoping somebody can guide me to the proper log file. Thanks!

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by alapierre View Post
    It seems our system is being attacked by somebody/something trying to brute force a couple of our accounts. I'd like to find the IP of the person so I can block them, but I look at the IP in the audits.log file and it shows up as our mail servers external IP address. Here is a line

    Code:
    [btpool0-94] [ip=xxx.xxx.xxx.xxx;] security - cmd=Auth; account=bogus@domain.com; protocol=soap; error=authentication failed for bogus, invalid password;
    Same basic thing is showing in the mailbox.log file. I'm not sure where else to look to see who is connecting. I'm hoping somebody can guide me to the proper log file. Thanks!
    You could use something like fail2ban or OSSEC to block unwanted hacking attempts.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    alapierre is offline Active Member
    Join Date
    Oct 2009
    Posts
    29
    Rep Power
    5

    Default

    It looks like those operate by blocking the IP <HOST> of the computer connecting, but the problem is in the logs the IP shows up as our mail servers external IP Address, so how would it know what to block?

  4. #4
    alapierre is offline Active Member
    Join Date
    Oct 2009
    Posts
    29
    Rep Power
    5

    Default

    Ok, just found out a bit more information. Those specific logs are generated whenever somebody sends an email through our server. I thought they were trying to login through the webmail, but it appears they're just trying to send mail through our server. It's really only annoying because after a certain number of attempts, that users account gets locked and I have to unlock it so they can use their mail again. Obviously I don't want to have to keep doing that, as eventually they may guess their password.

  5. #5
    dwill's Avatar
    dwill is offline Special Member
    Join Date
    Aug 2006
    Posts
    122
    Rep Power
    8

    Default

    I tried fail2ban about a year ago, and while it seems to work well for a few days, the logs,rules, blocks, unblock lists get extremely large if you have a lot of traffic. It would eventually bog down and I'd have to manually shut it down, clean up, and start it up again. I'd love to hear from others who have success using it with between 50K to 100K incomings a day.
    Work
    8.0.3 UBUNTU10_04 UBUNTU10_04 NETWORK

    Home
    8.0.3 UBUNTU10_04 UBUNTU10_04 FOSS

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by alapierre View Post
    Ok, just found out a bit more information. Those specific logs are generated whenever somebody sends an email through our server. I thought they were trying to login through the webmail, but it appears they're just trying to send mail through our server. It's really only annoying because after a certain number of attempts, that users account gets locked and I have to unlock it so they can use their mail again. Obviously I don't want to have to keep doing that, as eventually they may guess their password.
    In that case you should enforce secure passwords and you can set the "Time to lockout the account", details below from the on-line help.

    This is time in either days, hours, minutes, or seconds that the account is locked out after the user fails to log in. The account status is automatically changed to active after this time expires. When this is set to 0, the user is locked out until the correct password is entered or the administrator resets the password.
    Last edited by phoenix; 11-12-2010 at 10:08 AM.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    alapierre is offline Active Member
    Join Date
    Oct 2009
    Posts
    29
    Rep Power
    5

    Default

    Sounds good, thanks for your help.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 7
    Last Post: 02-13-2013, 02:36 AM
  2. Install Zimbra 6.0.8 x64 on Debian Lenny Fail
    By Titi974 in forum Installation
    Replies: 6
    Last Post: 10-21-2010, 05:47 AM
  3. Problem with Mail Server - Need help!
    By joeleo in forum Installation
    Replies: 2
    Last Post: 03-04-2008, 12:03 PM
  4. My Zimbra server down ... please help :)
    By frankb in forum Administrators
    Replies: 2
    Last Post: 12-12-2007, 11:29 AM
  5. block IP address on failed login attemps
    By support.txdistlcms.org in forum Administrators
    Replies: 0
    Last Post: 10-25-2007, 11:14 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •