Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Tracing connections (How can I trace a specific ActiveSync connection)
  •  
Waco1

Messages: 89
Karma: 0
Send a private message to this user
I have a user who uses (average) four devices to sync email+ via ActiveSync.

This user has a deal with the local telecom, so he's always swapping new devices for newer ones.

It was inevitable... He's "misplaced" one of the devices, so we changed passwords to protect his data.

Now, I get a Security log entry every 4-6 seconds, HTTP/EWS, with a failed login for that user. If account-lockout is enabled, the account will lock out because of the failed logins.

The misplaced device is on a charger, apparently.

The logged IP address is from the firewall's NIC to our DMZ (not useful).

I already tried setting the password back to wipe whatever DOES connect, but after an hour, no device had connected...

(My user has devised a very effective DDoS attack against himself)

Now, before anyone offers the obvious snarky answer, this user owns the company...

What is the best way to track this device down?
  •  
ccjwells

Messages: 192
Karma: 0
Send a private message to this user
Have you tried matching up the devices by their last sync time? I imagine that the device with the changed password can't sync and should have a relatively old sync time. If it still updates the sync time when it fails to authenticate, turn off all the other devices and initiate a remote wipe on the most recent one. The only other way I can think of would be to try to match device IDs to specific devices, but that is what I can think of off the top of my head. There probably is a better way though.
  •  
Waco1

Messages: 89
Karma: 0
Send a private message to this user
ccjwells wrote on Wed, 02 November 2011 11:01
Have you tried matching up the devices by their last sync time? I imagine that the device with the changed password can't sync and should have a relatively old sync time. If it still updates the sync time when it fails to authenticate, turn off all the other devices and initiate a remote wipe on the most recent one. The only other way I can think of would be to try to match device IDs to specific devices, but that is what I can think of off the top of my head. There probably is a better way though.


I tried this, but the user claims he doesn't physically have that device any longer. We matched up device ids, as you suggested, and one of them hasn't synced since we changed his password.

About an hour ago, I removed the registration for ALL of his devices -- except for the Blackberry, which can't be removed (it's been removed on the BES server, but still appears in Kerio where I assume it will stay forever). Only two mobile devices have reappeared, and we've matched up the device-ids with the physical devices.

Unfortunately, a sync has to succeed before a usable IP address is obtained in the log. Or, so it seems. Maybe there's a better way?

In other news: ActiveSync + Account Lockout is just about the easiest DoS target around. I may need to move the SSL service port, just to make it non-obvious.
  •  
ccjwells

Messages: 192
Karma: 0
Send a private message to this user
Well, I hate to suggest this, but you can always set his password back to the old one, let the device sync, and then initiate remote wipe for the device.
  •  
Waco1

Messages: 89
Karma: 0
Send a private message to this user
Yeah, I suppose.

I wish there were an easy way to just change the User ID for an account.

The way it is now, if you know a Kerio user's real email address (non-alias), then you can lock them out of their account with a batch script, from anywhere, and there's practically nothing their admin can do to stop it, short of shutting down ActiveSync (and probably Webmail). This user has proven that can even be done accidentally.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
You should enable some of the debug log messages to get the incoming connections IP address, even though it is not successful.
  •  
Waco1

Messages: 89
Karma: 0
Send a private message to this user
MarkK wrote on Wed, 02 November 2011 14:05
You should enable some of the debug log messages to get the incoming connections IP address, even though it is not successful.


Can you offer any tips for relating the thousands of connection debug messages to specific security log failed-login messages?

Might it be easier to fire up Ethereal and trap packets at the NIC?
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Searching for a needle in a hay stack is going to involve a lot a sorting through other material. I would think that WireShark (Ethereal is no longer) could produce even more stuff to sort through. If you have a lot of devices, the logging is going to be big.

I would enable the Debug - Network Connections and SSL & User Authenication messages. Let that run until you think (or are able to search for and find) the rogue devices attempt. If it is using Active Sync, there is an Active Sync message option.

Once you have a hit, the log entries start with [Date-Time][UniqueID#]. You should be able to trace up and down the log as to what is happening on a specific connection attempt.
  •  
Waco1

Messages: 89
Karma: 0
Send a private message to this user
MarkK wrote on Wed, 02 November 2011 15:53
Searching for a needle in a hay stack is going to involve a lot a sorting through other material. I would think that WireShark (Ethereal is no longer) could produce even more stuff to sort through. If you have a lot of devices, the logging is going to be big.

I would enable the Debug - Network Connections and SSL & User Authenication messages. Let that run until you think (or are able to search for and find) the rogue devices attempt. If it is using Active Sync, there is an Active Sync message option.

Once you have a hit, the log entries start with [Date-Time][UniqueID#]. You should be able to trace up and down the log as to what is happening on a specific connection attempt.


Yeah, but I have and know Ethereal. Wireshark, well, I have it.

I was hoping there's a better marker than the security log's timestamp, but I thought of an alternative: wait until 2AM, when traffic is light, and see if that device is still polling. If so, then almost all of the HTTP and connection messages will be associated with that device and it will be easier to wade through with a highly sophisticated diag tool like 'less' or 'vi'.

Thank you, sir.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Sorry, I should of expanded on it, I meant too. Not the timestamp, the UniqueID will stay the same for the whole "transaction". That will make it easier to trace that one connection over all of the different timestamps. You can then export the log and search through it using something that makes it easier to manipulate log.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Waco1 wrote on Wed, 02 November 2011 16:16

Unfortunately, a sync has to succeed before a usable IP address is obtained in the log. Or, so it seems. Maybe there's a better way?

Provided the account has its original password, can't you at this point simply initiate a remote wipe to the lost device? Even if the device manages to do ONE successful sync, the remote wipe will render it useless almost immediately after that.

As a bonus: if it's an iPhone, the device will become completely unusable. You can't even turn it on anymore.
Previous Topic: Tabbing in contacts
Next Topic: iOS (iPad): can edit public Calendars/Contacts
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 24 07:35:20 CEST 2017

Total time taken to generate the page: 0.00511 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.