Hi all, I have been receiving attempted logins from remote IPs (china/brazil) trying to log in rapidly (resulting in account lockouts). The interesting thing is that it seems to be via direct SOAP requests.
This thread seems to detail the method they're using
Account Lockout: How to find IP address of soap - AuthRequest
Any way, a combo of threshold rules and blacklists on the firewall have been good enough to keep them at bay.
I've been correlating this activity by cross referencing the times of the audit log lockout messages against the jetty access log to get the IP of the SOAP request (as they don't seem to show up in the audit log - see other thread).
Yep, I really need to get around to installing splunk or something similar to make this easier....
Today when I started receiving more of these login attempts I noticed that somehow our jetty access_log is now 10 hours off (we're GMT+10). I havn't had to look at this since we upgraded to 6.0.8 so perhaps it occured then. How do you change the time offset for the jetty process logging safely in zimbra?