Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » IP that logged in? (I can't think of anything that tracks this?)
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
A customer thinks someone else is reading his mail..


I told them to change his password and to also disallow access from anything he doesn't use (if he only uses KOC, disallow Webmail, etc.).

Anything else involves a tremendous amount of noise in Debug and might not be all that conclusive anyway - unless I'm missing something?

He has Control, too: we could log the time of client connections, which might help make more sense of a noisy debug log, but that won't help for internal connections.

I suppose we could dump packets for those protocols right there on the Connect machine and write some fairly complex parsing to keep state and see who did what then - ever heard of anyone doing anything like that?

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
What I've suggested for the moment is this:

Turn on user authentication in Debug

Run tcpdump on the server with something like this


tcpdump "(tcp port 443 or tcp port 143 or tcp port 993) and tcp[13] == 2" > /somefile

That won't be terribly noisy because it only is capturing initial connections.

Compare that to the Debug log with authentication turned on and I think he can prove if someone is reading someone else's mail and when they did it..

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
But if we could add IP address to Authentication then Debug alone would do it..

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
mrowell

Messages: 4
Karma: 0
Send a private message to this user
Tony,

Have you created a feature request for this on feedback.kerio.com? I will send my vote your way if you have.

I do have a basic request asking for Audit Log of All Successful Authentications :
feedback.kerio.com/forums/29250-kerio-connect/suggestions/30 59254-audit-log-of-all-successful-authentications

Marcus.
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
mrowell wrote on Fri, 28 June 2013 21:48
Tony,

Have you created a feature request for this on feedback.kerio.com? I will send my vote your way if you have.

I do have a basic request asking for Audit Log of All Successful Authentications :
feedback.kerio.com/forums/29250-kerio-connect/suggestions/30 59254-audit-log-of-all-successful-authentications

Marcus.


I'm out of votes right now..

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
mrowell

Messages: 4
Karma: 0
Send a private message to this user
Sorry that link should be

feedback.kerio.com/forums/29250-kerio-connect/suggestions/30 59254-audit-log-of-all-successful-authentications


hmm.. the forum keeps adding a space in that url.

try this bit.ly/16FS1Ky

[Updated on: Sat, 29 June 2013 04:01]

Previous Topic: Hosted Exchange Issue
Next Topic: Failed to start XMPP Service and fulltext search after migration
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Sep 24 16:06:24 CEST 2017

Total time taken to generate the page: 0.00466 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.