Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Log passwords for failed logins (Let's see what they are guessing...)
  •  
Marko Engelmann (TESIS)

Messages: 14
Karma: 0
Send a private message to this user
Hi,
we see a lot of password guessing attempts on our server (like everyone else, I think).

I wanted to see how close the bad guys get to our actual users and their passwords. For starters, I tried sniffing with tcpdump for SMTP AUTH data. Which is a bit clumsy, but one gets an idea about whats going on...

So, the question is: Is there a way to log the passwords used in failed attempts to the security or the debug logfile? My sniffing method failes for encrypted AUTH methods or TLS/SSL-protected streams. Using the internal logs, we would also see the other services (IMAP, Webmail) as well - those we make available using SSL only...

Any insights?

Kind Regards
Marko

[Updated on: Thu, 12 June 2014 15:34]

  •  
Kedar

Messages: 1320
Karma: 48
Send a private message to this user
No it's not possible. I think show passwords in log is bad idea and security risk. For many authentication methods the client sends only hash, not password.

The passwords are not saved in configuration files in plain text. Do you know passwords of your users for comparison?

You should use long passwords and change them periodically, use locking of IP address after some unsuccessful attempts. It's better than see what bots are trying Wink
  •  
Marko Engelmann (TESIS)

Messages: 14
Karma: 0
Send a private message to this user
Hm, I can understand your worries. We are applying all the security measures kerio gives us (password complexity, aging (in newer versions)), account lockouts on repeated failed logins and so on.

But, this doesn't actually stop the attackers from trying. Without such a log, you will not know, if they are still "picking the lock", or if the door is about to burst any minute now...

And for what i can see: They are trying slow enough, so the "lockout" does not actually trigger, as the real user is authenticating with valid data in between and so resets its "bad password" counter. AND: There is no single IP one could block. The attacks are coming from a "botnet" - each of the IPs is used for a few logins, then a new one is used.

There is no real danger (for now), as they are using a rather simple approach:

1q2w3e4r
1q2w3e
1q2w3e
margaret
ren123
ren888
iloveu
iloveyou
password
123456
000000
123123
111111
222222
333333
444444
555555
[...]

I would like to be able to keep an eye on this issue, without having to sniff the network traffic in a crude way.

To sum it up: Would be great, if I(!) could decide, whats going into my logfiles Wink
  •  
Kedar

Messages: 1320
Karma: 48
Send a private message to this user
You can customize lockout feature in mailserver.cfg
First, I suggest do not lock account, but IP address - suggested settings in on screenshot below.

Stop Kerio Connect and find the antihammering in the mailserver.cfg

<table name="AntiHammering">
...
<variable name="FailedLogins">10</variable>
<variable name="CheckTime">60</variable>
...
</table>


The FailedLogins=10 and CheckTime=60 say, that the attacking IP address must try 10 wrong logins in 60 seconds to be blocked. Because there is few seconds long reply of server to wrong attempt, it affects only agressive bots, not manual attempts or slow bots. You can modify it to some lower value, e.g. 3 failed logins in a minute, it should help.

[Updated on: Tue, 17 June 2014 09:00]

  •  
Marko Engelmann (TESIS)

Messages: 14
Karma: 0
Send a private message to this user
Hi,
tank you, I made the changes you suggested: 3 failed attempts over 5 minutes. 30 minutes lockout.

I did a review of my logs: They try about 20 passwords in 5 Minutes (20 seconds delay) before changing to a new IP-address. I did not see an IP address twice in about 2 weeks...

The above settings will at least deplete their pool of usable bots earlier.

Thanks for your help so far - but still: I'm not very happy about the logging options available Wink

Using
grep "Invalid password" security.log*
gives at least a rough overview, WHO is targeted. With
grep "Failed" security.log*
one might get an impression, HOW they try (auth methods).

For future releases, I hope for a more consistent logging format. Most of the information is available, but spread over different log files or log lines, which need to be combined to get the whole picture...

Again: thanks!
Marko
  •  
Kedar

Messages: 1320
Karma: 48
Send a private message to this user
For this case is probably the best forward all your logs to some syslog server. (WebAdmin -> right click in log area -> context menu -> Log Settings... -> External Logging )

If you have idea how to improve the logs in webadmin, feel free to use the 'Suggest Idea' button in the WebAdmin to list this as a feature request.

[Updated on: Wed, 18 June 2014 09:24]

Previous Topic: Optional Attendees not possible?
Next Topic: How to manage project-related mail
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Aug 18 21:56:08 CEST 2017

Total time taken to generate the page: 0.00422 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.