Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Block SMTP Login after 3 Failures!
  •  
r.lechner

Messages: 20
Karma: -4
Send a private message to this user
Can u make kerio to block the IP of these idiots for 1 day after 3 or 5 login failures? My logs are full with these monkeys!

[29/Dec/2016 13:41:41] Account lockout - user Admin<_at_>xxxx will be blocked for connections from IP address 221.138.138.228 for 5 minutes: too many failed logins from this IP address
[29/Dec/2016 13:41:54] Failed SMTP login from 221.138.138.228 with SASL method LOGIN.
[29/Dec/2016 13:42:21] SMTP: User jobs<_at_>xxxx doesn't exist. Attempt from IP address 221.138.138.228.
[29/Dec/2016 13:42:27] Failed SMTP login from 221.138.138.228 with SASL method LOGIN.
[29/Dec/2016 13:42:54] SMTP: User steve<_at_>xxxx doesn't exist. Attempt from IP address 221.138.138.228.
[29/Dec/2016 13:43:00] Failed SMTP login from 221.138.138.228 with SASL method LOGIN.
[29/Dec/2016 13:43:27] SMTP: User bill<_at_>xxxx doesn't exist. Attempt from IP address 221.138.138.228.
[29/Dec/2016 13:43:33] Failed SMTP login from 221.138.138.228 with SASL method LOGIN.
[29/Dec/2016 13:44:00] SMTP: User larry<_at_>xxxx doesn't exist. Attempt from IP address 221.138.138.228.
[29/Dec/2016 13:44:06] Failed SMTP login from 221.138.138.228 with SASL method LOGIN.


And there is no 5 minutes blocking! Something wrong with your code or the idea behind!

[29/Dec/2016 14:20:24] SMTP: Invalid password for user admin<_at_>xxxx Attempt from IP address 221.138.138.228.
[29/Dec/2016 14:20:24] Account lockout - user Admin<_at_>xxxxx will be blocked for connections from IP address 221.138.138.228 for 5 minutes: too many failed logins from this IP address
[29/Dec/2016 14:20:37] Failed SMTP login from 221.138.138.228 with SASL method LOGIN.
[29/Dec/2016 14:21:04] SMTP: User vanessa<_at_>xxxx doesn't exist. Attempt from IP address 221.138.138.228.
[29/Dec/2016 14:21:10] Failed SMTP login from 221.138.138.228 with SASL method LOGIN.
[29/Dec/2016 14:21:37] SMTP: Invalid password for user admin<_at_>xxxx Attempt from IP address 221.138.138.228.
[29/Dec/2016 14:21:37] Account lockout - user Admin<_at_>xxxx will be blocked for connections from IP address 221.138.138.228 for 5 minutes: too many failed logins from this IP address
[29/Dec/2016 14:21:50] Failed SMTP login from 221.138.138.228 with SASL method LOGIN.

  •  
lkacian

Messages: 69

Karma: 4
Send a private message to this user
+1
There is a huge attacks with login via SASL SMTP in last days.

Lubor Kacian
FONET Slovakia
  •  
r.lechner

Messages: 20
Karma: -4
Send a private message to this user
Still under attack!

[06/Jan/2017 13:33:42] SMTP: User a<_at_>xxxx.at doesn't exist. Attempt from IP address 125.227.190.163.
[06/Jan/2017 13:33:42] SMTP: User a<_at_>xxxx.at doesn't exist. Attempt from IP address 125.227.190.163.
[06/Jan/2017 13:33:47] Too many simultaneous SMTP connections from 125.227.190.163

[06/Jan/2017 13:35:00] SMTP: User abraham<_at_>xxxx.at doesn't exist. Attempt from IP address 125.227.190.163.
[06/Jan/2017 13:35:02] Too many simultaneous SMTP connections from 125.227.190.163
[06/Jan/2017 13:35:05] SMTP: User abraham<_at_>xxxx.at doesn't exist. Attempt from IP addres

[06/Jan/2017 13:35:39] SMTP: User access<_at_>xxxx.at doesn't exist. Attempt from IP address 125.227.190.163.
[06/Jan/2017 13:35:41] Too many simultaneous SMTP connections from 125.227.190.163
[06/Jan/2017 13:35:43] Last message repeated 5 times
[06/Jan/2017 13:35:43] SMTP: User access<_at_>xxxx.at doesn't exist. Attempt from IP address 125.227.190.163.
[06/Jan/2017 13:35:43] Too many simultaneous SMTP connections from 125.227.190.163

[06/Jan/2017 13:36:27] SMTP: User ada<_at_>xxxx.at doesn't exist. Attempt from IP address 125.227.190.163.
[06/Jan/2017 13:36:28] Too many simultaneous SMTP connections from 125.227.190.163
[06/Jan/2017 13:36:29] SMTP: User ada<_at_>xxxx.at doesn't exist. Attempt from IP address 125.227.190.163.
[06/Jan/2017 13:36:31] Too many simultaneous SMTP connections from 125.227.190.163

[06/Jan/2017 13:37:09] SMTP: User adam<_at_>xxxx.at doesn't exist. Attempt from IP address 125.227.190.163.
[06/Jan/2017 13:37:13] Too many simultaneous SMTP connections from 125.227.190.163
[06/Jan/2017 13:37:15] Failed SMTP login from 125.227.190.163 with SASL method LOGIN.
..................
[06/Jan/2017 13:53:58] SMTP: User utente<_at_>xxxx.at doesn't exist. Attempt from IP address 125.227.190.163.
[06/Jan/2017 13:53:58] SMTP: User utente<_at_>xxxx.at doesn't exist. Attempt from IP address 125.227.190.163.
[06/Jan/2017 13:53:58] Too many simultaneous SMTP connections from 125.227.190.163

..........

Dont want any connection to these ip's for 1 day or 2! No SMTp, POP, IMAP or SASL. Simply block this idiots!
  •  
ComputerBudda

Messages: 110
Karma: 5
Send a private message to this user
block it at the router
  •  
r.lechner

Messages: 20
Karma: -4
Send a private message to this user
Thats silly because there are always different ip's! No have the time to manualy respond to every idiot on the planet, the software have to take care!
  •  
core

Messages: 12
Karma: 0
Send a private message to this user
Exact same problem here!

Is there any solution to block these attacks, or at least to block specific IP from guessing users mail adress??

[31/Mar/2017 10:10:59] SMTP: User XXX<_at_>domain.com doesn't exist. Attempt from IP address 222.120.247.207.
[31/Mar/2017 10:11:05] Failed SMTP login from 222.120.247.207 with SASL method LOGIN

There is a lot of these.. and no blocking timeout.

How to deal with this issue?

[Updated on: Fri, 31 March 2017 10:16]

  •  
Hav10

Messages: 7
Karma: 0
Send a private message to this user
If you are running kerio on linux try fail2ban. It is very effective in reducing attacks just like you have described.

http://www.fail2ban.org

http://forums.kerio.com/t/16562/kerio-filter-for-fail2ban


  •  
SebStar

Messages: 15
Karma: 2
Send a private message to this user
same problem here for ages...
  •  
core

Messages: 12
Karma: 0
Send a private message to this user
Yes I heard of Fail2ban but I'm on Windows..
I know there is many posts on this problem but I didn't see an efficient solution on Windows server that can be done directly in Kerio connect administration.
Previous Topic: Attachments disappearing
Next Topic: Client HTTPS connection to 66.235.139.206
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Jun 26 10:38:55 CEST 2017

Total time taken to generate the page: 0.00487 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.