Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Failed SMTP login
  •  
zebby

Messages: 241
Karma: 2
Send a private message to this user
Looking through the security log I can see that some clowns are making repeated SMTP login attempts every three seconds.
One originated from Taiwan lasting 4.5 hours and two from China lasting over 24 hours.

Is there anyway of controlling this?

I'd like KC to block an IP after a predetermined number of failed attempts but I don't see this anywhere.
Am I not looking in the right places or it is simply a case of it not being there?


  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
look below Configuration -> SMTP server -> TAB "Security options"
maybe this can help you.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
zebby

Messages: 241
Karma: 2
Send a private message to this user
Thanks for the reply but I don't see how the IP limits there will make any difference
  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
Unknown recipients (directory harvest attack protection) could help. We have it on 5 standing. The attacker stop after 5 unknown's because Connect blockes at that time.
Otherwise a good firewall solution that also monitors your MX traffic.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
zebby

Messages: 241
Karma: 2
Send a private message to this user
I misunderstood that setting Embarassed

I'll enable it and see what happens...
  •  
zebby

Messages: 241
Karma: 2
Send a private message to this user
So we have enabled 'Unknown recipients (directory harvest attack protection)' and set it to 5. However this isn't preventing the attack by blocking an IP.

In the log this morning we have:
[04/Nov/2010 17:49:10] Failed SMTP login from 69.198.187.130
[04/Nov/2010 17:49:11] Failed SMTP login from 69.198.187.130
[04/Nov/2010 17:49:19] Failed SMTP login from 69.198.187.130
[04/Nov/2010 17:49:20] Failed SMTP login from 69.198.187.130
[04/Nov/2010 17:49:27] Failed SMTP login from 69.198.187.130
[04/Nov/2010 17:49:27] SMTP server connection from 69.198.187.130 closed after 3 bad commands

running every few seconds through to 08.29 this morning when it stops.

Is there really nothing in Kerio that will stop this?

  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
It's blocking. See last rule. Connection closed.
And make a abuse report to the ISP of this IP.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
zebby

Messages: 241
Karma: 2
Send a private message to this user
How is it blocking?

It's merely closing the connection after 3 attempts then allowing the same IP to try over and over again, which it did do for over 14 hours.

In my book 'blocking' won't allow a connection attempt at all.
Previous Topic: How to recover a single email ?
Next Topic: KMS 6.7.2 does not regcognize ClamAV 0.95 on OS X Server 10.5.8
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 17:12:41 CET 2017

Total time taken to generate the page: 0.00487 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.