Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio Mail server being attacked (Security suggestions)
  •  
Nucleus

Messages: 9
Karma: 0
Send a private message to this user
Hi All

I have been reviewing my security logs and have found that people are trying to hack our mail server.

is there a way to block an ip address after 4 or 5 attempts ?

thankfully they haven't gotten in yet but i would rather shut them down before they got lucky

Thanks

Thomas
  •  
Nucleus

Messages: 9
Karma: 0
Send a private message to this user
They are using hundreds of different user names trying to get access so this would work but i want to be able to stop them after the second or third try with a different username but same IP. Thanks for the reply though
  •  
it@leonardsexpress.com

Messages: 34

Karma: 0
Send a private message to this user
I would block the Ip address or range at the firewall level if your mailserver is behind a firewall

IT Admin
  •  
KCAP

Messages: 92
Karma: 2
Send a private message to this user
Yes, i would like this option also,
We are now blocking this, after we notice a 'hacker' we put his IP in our kerio Firewall black list to block, also to give the mailserver more free recourse instate of all the time checking all names etc.

We would like to get a function stated above, to block automatically a IP after a few tries.
Or better that the mailserver can update the block list in the firewall automatically.
and also blocking this (did this for days before we notice and blocked it):
[21/Aug/2011 08:57:39] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:57:43] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:57:48] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:57:48] SMTP server connection from 24.65.64.83 closed after 3 bad commands
[21/Aug/2011 08:58:09] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:58:13] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:58:18] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:58:18] SMTP server connection from 24.65.64.83 closed after 3 bad commands
[21/Aug/2011 08:58:39] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:58:43] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:58:48] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:58:48] SMTP server connection from 24.65.64.83 closed after 3 bad commands
[21/Aug/2011 08:59:09] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:59:13] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:59:18] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:59:18] SMTP server connection from 24.65.64.83 closed after 3 bad commands
[21/Aug/2011 08:59:42] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:59:46] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:59:51] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 08:59:51] SMTP server connection from 24.65.64.83 closed after 3 bad commands
[21/Aug/2011 09:00:12] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 09:00:16] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 09:00:21] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 09:00:21] SMTP server connection from 24.65.64.83 closed after 3 bad commands
[21/Aug/2011 09:00:45] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 09:00:49] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 09:00:54] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 09:00:54] SMTP server connection from 24.65.64.83 closed after 3 bad commands
[21/Aug/2011 09:01:15] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 09:01:19] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 09:01:24] Failed SMTP login from s0106000ae61f4c06.fm.shawcable.net
[21/Aug/2011 09:01:24] SMTP server connection from 24.65.64.83 closed after 3 bad commands

Teun
KCAP

[Updated on: Thu, 08 September 2011 12:59]


Teun
KCAP [NL]
  •  
freakinvibe

Messages: 1542
Karma: 62
Send a private message to this user
This has been discussed here many times, see for example:

http://forums.kerio.com/m/70571/

You can't block this with Kerio. Either use your firewall to do this or just do nothing. If you have all strong passwords, those bots will not be able get into an account.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
  •  
vomsupport

Messages: 136
Karma: 2
Send a private message to this user
You can also use Fail2ban if you use Linux etc
Previous Topic: [SOLVED] NT Domain Authentication
Next Topic: how i change encode for webmail
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Oct 21 08:53:37 CEST 2017

Total time taken to generate the page: 0.00464 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.