Mailing List CGatePro@mail.stalker.com Message #106104
From: Brian Turnbow <b.turnbow@twt.it>
Subject: RE: hack attempt recognition?
Date: Tue, 5 Jul 2016 14:02:18 +0200
To: 'CommuniGate Pro Discussions' <CGatePro@mail.stalker.com>
X-Mailer: Microsoft Outlook 14.0
Hi ,

As Jeff said you can take a look into setting up the temporary
blacklisting, take a look at the protection section of the guide.
They have also failed login limits at the account level where you can
define the number of max failures and the timeframe.

I would also suggest taking a look at Niversoft’s dictionary attack
script.
You can easily add  “rejected: 'clear text' login prohibited”   as  a
match phrase.
It will add the IPs directly to the blacklisted IPs section of
communigate.


Best Regards

Brian

>On my 6.0 type server:

>Settings->Network->Blacklisted IPs->Temporarily Blocked IP Addresses
(near the bottom)

>There you can set some parameters (failed login counts per unit time) to
block the offending IP addresses.  We actually had to make it really
lenient because of how some of our customers >were using Outlook and how
it logged in incorrectly each attempt.

>Now, I'm not an AWK professional, but the following gives you a little
insight into failed logins you might be experiencing:

>$ grep -E 'ACCOUNT.*Error Code=incorrect password'
/var/CommuniGate/SystemLogs/2016-07-04* | awk -F'[][)(]' '{print $2 " "
$6}' | sort | uniq -c | sort -rn


>Look for the 'ACCOUNT.*Error Code' lines in the current day's log files
(2016-07-04*), pipe it through AWK using the character '][)(' as field
delimiters, and print out the second and sixth fields >(Account and IP
address hopefully).  Pipe those results into the sort/uniq commands to get
a nice, ranked list of the 'Account IP-Address' combinations and which
ones are most popular.

>I suppose it would also give you a pretty good list of IP addresses that
are compromised as well.


>Jeff Wark
>Tbaytel Internet
>On Mon, 4 Jul 2016 12:03:39 +0000
>Marcel Hochuli <mhochuli@a-f.ch> wrote:
>> Hi
>>
>> I get thousands of hack attempts that try to brake an account with
clear text. clear text is deactivated. And the particular
>>email account is disabled, too.
>>
>> But the vicious IP address gets never blocked. It can hack our
mailserver during many days.
>>
>> I can block the IP address, but a few days later, a new source IP does
the same hacking.
>>
>> Is there a setting that I miss, to block the IP automatically?
>>
>>
>> 07:59:09.273 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:49340
rejected: 'clear text' login prohibited
>> 07:59:13.608 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:51947
rejected: 'clear text' login prohibited
>> 07:59:17.902 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:54314
rejected: 'clear text' login prohibited
>> 07:59:22.223 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:56451
rejected: 'clear text' login prohibited
>> 07:59:26.537 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:58883
rejected: 'clear text' login prohibited
>> 07:59:30.871 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:61306
rejected: 'clear text' login prohibited
>> 07:59:35.445 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:63772
rejected: 'clear text' login prohibited
>> 07:59:39.830 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:49671
rejected: 'clear text' login prohibited
>> 07:59:44.118 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:51685
rejected: 'clear text' login prohibited
>> 07:59:49.178 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:53867
rejected: 'clear text' login prohibited
>> 07:59:53.728 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:56576
rejected: 'clear text' login prohibited
>> 07:59:58.050 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:58178
rejected: 'clear text' login prohibited
>> 08:00:02.423 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:60796
rejected: 'clear text' login prohibited
>> 08:00:06.743 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:62490
rejected: 'clear text' login prohibited
>> 08:00:09.523 2 TRIGGERHANDLER(warn) TRIGGER(rejectedOnMethodAUTHs) 14:
5 in 60 sec
>> 08:00:09.523 2 TRIGGERHANDLER(warn) TRIGGER(rejectedOnMethodAUTHs)
notification E-mail sent
>> 08:00:11.569 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:64666
rejected: 'clear text' login prohibited
>> 08:00:16.646 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:50551
rejected: 'clear text' login prohibited
>> 08:00:21.056 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:52718
rejected: 'clear text' login prohibited
>> 08:00:25.383 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:54463
rejected: 'clear text' login prohibited
>> 08:00:29.836 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:56942
rejected: 'clear text' login prohibited
>> 08:00:34.469 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:58937
rejected: 'clear text' login prohibited
>> 08:00:39.736 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:60958
rejected: 'clear text' login prohibited
>> 08:00:44.709 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:63058
rejected: 'clear text' login prohibited
>> 08:00:49.380 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:49232
rejected: 'clear text' login prohibited
>>
>>
>> +---
>> mailto:mhochuli@a-f.ch
>> otherto:noway@a-f.ch
>> _______________________________________
>>
>>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>>  the mailing list <CGatePro@mail.stalker.com>.
>> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
>> To switch to the DIGEST mode, E-mail to
<CGatePro-digest@mail.stalker.com>
>> To switch to the INDEX mode, E-mail to
<CGatePro-index@mail.stalker.com>
>> Send administrative queries to  <CGatePro-request@mail.stalker.com>
#############################################################

This message is sent to you because you are subscribed to

  the mailing list <CGatePro@mail.stalker.com>.

To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>

To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>

To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>

Send administrative queries to  <CGatePro-request@mail.stalker.com>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster