Mailing List CGatePro@mail.stalker.com Message #106107
From: Jeff Wark <jwark@tbaytel.net>
Subject: Re: hack attempt recognition?
Date: Wed, 06 Jul 2016 14:15:48 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro WebUser v6.0.11
Not having looked at the script, I would say the second one is the one you want.

The .? means an optional character (maybe taking into account SMTPI records)
and the (.*?) means any sequence of characters, but be non-greedy.  In this case, stop at the first right parenthesis character '\)'.

I might even change that to something like ([^)]*) which says 'any number of NON-right parenthesis characters'.  But it should be fine.

-- 

Jeff Wark
Tbaytel Internet
On Wed, 6 Jul 2016 15:37:00 +0000
Marcel Hochuli <mhochuli@a-f.ch> wrote:
>> Thanks Brian and Jeff
>>
>> I already consulted the Temporarily Blocked IP Addresses section. I'm not sure if "failed Logins" capture the
>>rejectedOnMethodAUTHs errors. I lowered the amount per timeframe, but I think it will issue other problems with auto configuring
>>email clients that test some methods automatically and will then be blocked…
>>
>> I would try niversofts script, I think it is a better solution. I am just not sure how to add the match phrase as it has two
>>different styles in the match section. Which one is correct?
>>
>>      or ($line =~ /\d (POP|SMTP|IMAP)-\d+\((.*)\).* rejected: 'clear text' login prohibited/i)
>>      or ($line =~ /\d (POP|SMTP|IMAP).?-\d+\((.*?)\).*rejected: 'clear text' login prohibited/i)
>>
>> Thanks,
>> Marcel
>>
>> _______________________________________
>>
>>
>>
>>> Am 05.07.2016 um 14:02 schrieb Brian Turnbow <b.turnbow@twt.it>:
>>>
>>> Hi ,
>>>
>>> As Jeff said you can take a look into setting up the temporary
>>> blacklisting, take a look at the protection section of the guide.
>>> They have also failed login limits at the account level where you can
>>> define the number of max failures and the timeframe.
>>>
>>> I would also suggest taking a look at Niversoft’s dictionary attack
>>> script.
>>> You can easily add  “rejected: 'clear text' login prohibited”   as  a
>>> match phrase.
>>> It will add the IPs directly to the blacklisted IPs section of
>>> communigate.
>>>
>>>
>>> Best Regards
>>>
>>> Brian
>>>
>>>> On my 6.0 type server:
>>>
>>>> Settings->Network->Blacklisted IPs->Temporarily Blocked IP Addresses
>>> (near the bottom)
>>>
>>>> There you can set some parameters (failed login counts per unit time) to
>>> block the offending IP addresses.  We actually had to make it really
>>> lenient because of how some of our customers >were using Outlook and how
>>> it logged in incorrectly each attempt.
>>>
>>>> Now, I'm not an AWK professional, but the following gives you a little
>>> insight into failed logins you might be experiencing:
>>>
>>>> $ grep -E 'ACCOUNT.*Error Code=incorrect password'
>>> /var/CommuniGate/SystemLogs/2016-07-04* | awk -F'[][)(]' '{print $2 " "
>>> $6}' | sort | uniq -c | sort -rn
>>>
>>>
>>>> Look for the 'ACCOUNT.*Error Code' lines in the current day's log files
>>> (2016-07-04*), pipe it through AWK using the character '][)(' as field
>>> delimiters, and print out the second and sixth fields >(Account and IP
>>> address hopefully).  Pipe those results into the sort/uniq commands to get
>>> a nice, ranked list of the 'Account IP-Address' combinations and which
>>> ones are most popular.
>>>
>>>> I suppose it would also give you a pretty good list of IP addresses that
>>> are compromised as well.
>>>
>>>
>>>> Jeff Wark
>>>> Tbaytel Internet
>>>> On Mon, 4 Jul 2016 12:03:39 +0000
>>>> Marcel Hochuli <mhochuli@a-f.ch> wrote:
>>>>> Hi
>>>>>
>>>>> I get thousands of hack attempts that try to brake an account with
>>> clear text. clear text is deactivated. And the particular
>>>>> email account is disabled, too.
>>>>>
>>>>> But the vicious IP address gets never blocked. It can hack our
>>> mailserver during many days.
>>>>>
>>>>> I can block the IP address, but a few days later, a new source IP does
>>> the same hacking.
>>>>>
>>>>> Is there a setting that I miss, to block the IP automatically?
>>>>>
>>>>>
>>>>> 07:59:09.273 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:49340
>>> rejected: 'clear text' login prohibited
>>>>> 07:59:13.608 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:51947
>>> rejected: 'clear text' login prohibited
>>>>> 07:59:17.902 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:54314
>>> rejected: 'clear text' login prohibited
>>>>> 07:59:22.223 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:56451
>>> rejected: 'clear text' login prohibited
>>>>> 07:59:26.537 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:58883
>>> rejected: 'clear text' login prohibited
>>>>> 07:59:30.871 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:61306
>>> rejected: 'clear text' login prohibited
>>>>> 07:59:35.445 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:63772
>>> rejected: 'clear text' login prohibited
>>>>> 07:59:39.830 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:49671
>>> rejected: 'clear text' login prohibited
>>>>> 07:59:44.118 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:51685
>>> rejected: 'clear text' login prohibited
>>>>> 07:59:49.178 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:53867
>>> rejected: 'clear text' login prohibited
>>>>> 07:59:53.728 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:56576
>>> rejected: 'clear text' login prohibited
>>>>> 07:59:58.050 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:58178
>>> rejected: 'clear text' login prohibited
>>>>> 08:00:02.423 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:60796
>>> rejected: 'clear text' login prohibited
>>>>> 08:00:06.743 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:62490
>>> rejected: 'clear text' login prohibited
>>>>> 08:00:09.523 2 TRIGGERHANDLER(warn) TRIGGER(rejectedOnMethodAUTHs) 14:
>>> 5 in 60 sec
>>>>> 08:00:09.523 2 TRIGGERHANDLER(warn) TRIGGER(rejectedOnMethodAUTHs)
>>> notification E-mail sent
>>>>> 08:00:11.569 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:64666
>>> rejected: 'clear text' login prohibited
>>>>> 08:00:16.646 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:50551
>>> rejected: 'clear text' login prohibited
>>>>> 08:00:21.056 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:52718
>>> rejected: 'clear text' login prohibited
>>>>> 08:00:25.383 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:54463
>>> rejected: 'clear text' login prohibited
>>>>> 08:00:29.836 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:56942
>>> rejected: 'clear text' login prohibited
>>>>> 08:00:34.469 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:58937
>>> rejected: 'clear text' login prohibited
>>>>> 08:00:39.736 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:60958
>>> rejected: 'clear text' login prohibited
>>>>> 08:00:44.709 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:63058
>>> rejected: 'clear text' login prohibited
>>>>> 08:00:49.380 1 ACCOUNT(hidden) login(SMTP) from [46.183.221.62]:49232
>>> rejected: 'clear text' login prohibited
>>>>>
>>>>>
>>>>> +---
>>>>> mailto:mhochuli@a-f.ch
>>>>> otherto:noway@a-f.ch
>>>>> _______________________________________
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> #############################################################
>>>>> This message is sent to you because you are subscribed to
>>>>>   the mailing list <CGatePro@mail.stalker.com>.
>>>>> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
>>>>> To switch to the DIGEST mode, E-mail to
>>> <CGatePro-digest@mail.stalker.com>
>>>>> To switch to the INDEX mode, E-mail to
>>> <CGatePro-index@mail.stalker.com>
>>>>> Send administrative queries to  <CGatePro-request@mail.stalker.com>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>>
>>>  the mailing list <CGatePro@mail.stalker.com>.
>>>
>>> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
>>>
>>> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
>>>
>>> To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
>>>
>>> Send administrative queries to  <CGatePro-request@mail.stalker.com>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>>  the mailing list <CGatePro@mail.stalker.com>.
>>> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
>>> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
>>> To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
>>> Send administrative queries to  <CGatePro-request@mail.stalker.com>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>>  the mailing list <CGatePro@mail.stalker.com>.
>> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
>> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
>> To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
>> Send administrative queries to  <CGatePro-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster