Mailing List CGatePro@mail.stalker.com Message #106106
From: Marcel Hochuli <mhochuli@a-f.ch>
Subject: Re: hack attempt recognition?
Date: Wed, 6 Jul 2016 15:37:00 +0000
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Thanks Brian and Jeff

I already consulted the Temporarily Blocked IP Addresses section. I'm not sure if "failed Logins" capture the rejectedOnMethodAUTHs errors. I lowered the amount per timeframe, but I think it will issue other problems with auto configuring email clients that test some methods automatically and will then be blocked…

I would try niversofts script, I think it is a better solution. I am just not sure how to add the match phrase as it has two different styles in the match section. Which one is correct?

      or ($line =~ /\d (POP|SMTP|IMAP)-\d+\((.*)\).* rejected: 'clear text' login prohibited/i)
      or ($line =~ /\d (POP|SMTP|IMAP).?-\d+\((.*?)\).*rejected: 'clear text' login prohibited/i)

Thanks,
Marcel

_______________________________________



> Am 05.07.2016 um 14:02 schrieb Brian Turnbow <b.turnbow@twt.it>:
>
> Hi ,
>
> As Jeff said you can take a look into setting up the temporary
> blacklisting, take a look at the protection section of the guide.
> They have also failed login limits at the account level where you can
> define the number of max failures and the timeframe.
>
> I would also suggest taking a look at Niversoft’s dictionary attack
> script.
> You can easily add  “rejected: 'clear text' login prohibited”   as  a
> match phrase.
> It will add the IPs directly to the blacklisted IPs section of
> communigate.
>
>
> Best Regards
>
> Brian
>
>> On my 6.0 type server:
>
>> Settings->Network->Blacklisted IPs->Temporarily Blocked IP Addresses
> (near the bottom)
>
>> There you can set some parameters (failed login counts per unit time) to
> block the offending IP addresses.  We actually had to make it really
> lenient because of how some of our customers >were using Outlook and how
> it logged in incorrectly each attempt.
>
>> Now, I'm not an AWK professional, but the following gives you a little
> insight into failed logins you might be experiencing:
>
>> $ grep -E 'ACCOUNT.*Error Code=incorrect password'
> /var/CommuniGate/SystemLogs/2016-07-04* | awk -F'[][)(]' '{print $2 " "
> $6}' | sort | uniq -c | sort -rn
>
>
>> Look for the 'ACCOUNT.*Error Code' lines in the current day's log files
> (2016-07-04*), pipe it through AWK using the character '][)(' as field
> delimiters, and print out the second and sixth fields >(Account and IP
> address hopefully).  Pipe those results into the sort/uniq commands to get
> a nice, ranked list of the 'Account IP-Address' combinations and which
> ones are most popular.
>
>> I suppose it would also give you a pretty good list of IP addresses that
> are compromised as well.
>
>
>> Jeff Wark
>> Tbaytel Internet
>> On Mon, 4 Jul 2016 12:03:39 +0000
>> Marcel Hochuli <mhochuli@a-f.ch> wrote:
>>> Hi
>>>
>>> I get thousands of hack attempts that try to brake an account with
> clear text. clear text is deactivated. And the particular
>>> email account is disabled, too.
>>>
>>> But the vicious IP address gets never blocked. It can hack our
> mailserver during many days.
>>>
>>> I can block the IP address, but a few days later, a new source IP does
> the same hacking.
>>>
>>> Is there a setting that I miss, to block the IP automatically?
>>>
>>>
>>> 07:59:09.273 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:49340
> rejected: 'clear text' login prohibited
>>> 07:59:13.608 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:51947
> rejected: 'clear text' login prohibited
>>> 07:59:17.902 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:54314
> rejected: 'clear text' login prohibited
>>> 07:59:22.223 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:56451
> rejected: 'clear text' login prohibited
>>> 07:59:26.537 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:58883
> rejected: 'clear text' login prohibited
>>> 07:59:30.871 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:61306
> rejected: 'clear text' login prohibited
>>> 07:59:35.445 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:63772
> rejected: 'clear text' login prohibited
>>> 07:59:39.830 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:49671
> rejected: 'clear text' login prohibited
>>> 07:59:44.118 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:51685
> rejected: 'clear text' login prohibited
>>> 07:59:49.178 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:53867
> rejected: 'clear text' login prohibited
>>> 07:59:53.728 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:56576
> rejected: 'clear text' login prohibited
>>> 07:59:58.050 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:58178
> rejected: 'clear text' login prohibited
>>> 08:00:02.423 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:60796
> rejected: 'clear text' login prohibited
>>> 08:00:06.743 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:62490
> rejected: 'clear text' login prohibited
>>> 08:00:09.523 2 TRIGGERHANDLER(warn) TRIGGER(rejectedOnMethodAUTHs) 14:
> 5 in 60 sec
>>> 08:00:09.523 2 TRIGGERHANDLER(warn) TRIGGER(rejectedOnMethodAUTHs)
> notification E-mail sent
>>> 08:00:11.569 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:64666
> rejected: 'clear text' login prohibited
>>> 08:00:16.646 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:50551
> rejected: 'clear text' login prohibited
>>> 08:00:21.056 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:52718
> rejected: 'clear text' login prohibited
>>> 08:00:25.383 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:54463
> rejected: 'clear text' login prohibited
>>> 08:00:29.836 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:56942
> rejected: 'clear text' login prohibited
>>> 08:00:34.469 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:58937
> rejected: 'clear text' login prohibited
>>> 08:00:39.736 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:60958
> rejected: 'clear text' login prohibited
>>> 08:00:44.709 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:63058
> rejected: 'clear text' login prohibited
>>> 08:00:49.380 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:49232
> rejected: 'clear text' login prohibited
>>>
>>>
>>> +---
>>> mailto:mhochuli@a-f.ch
>>> otherto:noway@a-f.ch
>>> _______________________________________
>>>
>>>
>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>>   the mailing list <CGatePro@mail.stalker.com>.
>>> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
>>> To switch to the DIGEST mode, E-mail to
> <CGatePro-digest@mail.stalker.com>
>>> To switch to the INDEX mode, E-mail to
> <CGatePro-index@mail.stalker.com>
>>> Send administrative queries to  <CGatePro-request@mail.stalker.com>
> #############################################################
>
> This message is sent to you because you are subscribed to
>
>  the mailing list <CGatePro@mail.stalker.com>.
>
> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
>
> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
>
> To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
>
> Send administrative queries to  <CGatePro-request@mail.stalker.com>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list <CGatePro@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
> Send administrative queries to  <CGatePro-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster