Mailing List CGatePro@mail.stalker.com Message #106102
From: Jeff Wark <jwark@tbaytel.net>
Subject: Re: hack attempt recognition?
Date: Mon, 04 Jul 2016 09:38:41 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro WebUser v6.0.11
On my 6.0 type server:

Settings->Network->Blacklisted IPs->Temporarily Blocked IP Addresses (near the bottom)

There you can set some parameters (failed login counts per unit time) to block the offending IP addresses.  We actually had to make it really lenient because of how some of our customers were using Outlook and how it logged in incorrectly each attempt.

Now, I'm not an AWK professional, but the following gives you a little insight into failed logins you might be experiencing:

$ grep -E 'ACCOUNT.*Error Code=incorrect password' /var/CommuniGate/SystemLogs/2016-07-04* | awk -F'[][)(]' '{print $2 " " $6}' | sort | uniq -c | sort -rn


Look for the 'ACCOUNT.*Error Code' lines in the current day's log files (2016-07-04*), pipe it through AWK using the character '][)(' as field delimiters, and print out the second and sixth fields (Account and IP address hopefully).  Pipe those results into the sort/uniq commands to get a nice, ranked list of the 'Account IP-Address' combinations and which ones are most popular.

I suppose it would also give you a pretty good list of IP addresses that are compromised as well.
--

Jeff Wark
Tbaytel Internet
On Mon, 4 Jul 2016 12:03:39 +0000
Marcel Hochuli <mhochuli@a-f.ch> wrote:
>> Hi
>>
>> I get thousands of hack attempts that try to brake an account with clear text. clear text is deactivated. And the particular
>>email account is disabled, too.
>>
>> But the vicious IP address gets never blocked. It can hack our mailserver during many days.
>>
>> I can block the IP address, but a few days later, a new source IP does the same hacking.
>>
>> Is there a setting that I miss, to block the IP automatically?
>>
>>
>> 07:59:09.273 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:49340 rejected: 'clear text' login prohibited
>> 07:59:13.608 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:51947 rejected: 'clear text' login prohibited
>> 07:59:17.902 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:54314 rejected: 'clear text' login prohibited
>> 07:59:22.223 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:56451 rejected: 'clear text' login prohibited
>> 07:59:26.537 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:58883 rejected: 'clear text' login prohibited
>> 07:59:30.871 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:61306 rejected: 'clear text' login prohibited
>> 07:59:35.445 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:63772 rejected: 'clear text' login prohibited
>> 07:59:39.830 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:49671 rejected: 'clear text' login prohibited
>> 07:59:44.118 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:51685 rejected: 'clear text' login prohibited
>> 07:59:49.178 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:53867 rejected: 'clear text' login prohibited
>> 07:59:53.728 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:56576 rejected: 'clear text' login prohibited
>> 07:59:58.050 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:58178 rejected: 'clear text' login prohibited
>> 08:00:02.423 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:60796 rejected: 'clear text' login prohibited
>> 08:00:06.743 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:62490 rejected: 'clear text' login prohibited
>> 08:00:09.523 2 TRIGGERHANDLER(warn) TRIGGER(rejectedOnMethodAUTHs) 14: 5 in 60 sec
>> 08:00:09.523 2 TRIGGERHANDLER(warn) TRIGGER(rejectedOnMethodAUTHs) notification E-mail sent
>> 08:00:11.569 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:64666 rejected: 'clear text' login prohibited
>> 08:00:16.646 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:50551 rejected: 'clear text' login prohibited
>> 08:00:21.056 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:52718 rejected: 'clear text' login prohibited
>> 08:00:25.383 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:54463 rejected: 'clear text' login prohibited
>> 08:00:29.836 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:56942 rejected: 'clear text' login prohibited
>> 08:00:34.469 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:58937 rejected: 'clear text' login prohibited
>> 08:00:39.736 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:60958 rejected: 'clear text' login prohibited
>> 08:00:44.709 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:63058 rejected: 'clear text' login prohibited
>> 08:00:49.380 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:49232 rejected: 'clear text' login prohibited
>>
>>
>> +---
>> mailto:mhochuli@a-f.ch
>> otherto:noway@a-f.ch
>> _______________________________________
>>
>>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>>  the mailing list <CGatePro@mail.stalker.com>.
>> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
>> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
>> To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
>> Send administrative queries to  <CGatePro-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster