Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Failed SMTP Login attempts... how to control?
  •  
DrFix

Messages: 13
Karma: 0
Send a private message to this user
Been meaning for some time to mention this but finally got around to it. Several weeks ago I found that some clown had been hitting the email server every eight seconds for an hour straight trying to log in using many different variables on the username with website etc. admin<_at_>website.com sales<_at_>website.com etc.. etc.. I have it all locked down to only a small trusted group and no others so it rejected all attempts but certainly choked the pipe. I thought that by setting the max number of failed commands in SMTP session would throttle that but it appears it did nothing. Or am I looking in the wrong place? I manually entered the offending IP host into a reject group but wondered if its just easier to block out a range and be done with it since they appear to be coming out of China or Korea. I'd love it if you could set your security up and if these people attempted again that it would dynamically toss the IP address into a "blocked" list.
  •  
rhunter

Messages: 79
Karma: 0
Send a private message to this user
I see these in our log too occasionally. The account name they're trying is usually basic (admin, web, sales). Use strong passwords and turn on account lockout, so if they ever hit on a real username, it will lock out the account quickly. They do seem to come from the Asia-Pacific area. You can block the IP ranges at your router, but that will block any valid traffic also.

I dont like the server playing their game either. I'd like to see it block an IP after a user defined number of failed SMTP logins.
  •  
DrFix

Messages: 13
Karma: 0
Send a private message to this user
"I dont like the server playing their game either. I'd like to see it block an IP after a user defined number of failed SMTP logins."

And thats just it. Wouldn't it be better to set up something where after "X" number of failed attempts that it locks/bans those IP's. I have friends all over Asia and the Pacific who would potentially be affected by locking a range of IP's unless they had specific static addresses that I could "trust". Unfortunately they don't.
  •  
cfortuna

Messages: 3
Karma: 0
Send a private message to this user
But this option does exist!
In the SMTP Server tab, Security options, Mas number of unknown recipients...
I have this set to 3, and looking at the logs, we see the 3 failed attempts and then the Blocked message.

Rgds
C Fortuna




----- Original Message -----
From: DrFix <drfix<_at_>nts-online.net>
To: kms<_at_>forum.kerio.com
Sent: Thu, 10 Mar 2005 15:05:06 +0000
Subject: [kms] Re: Failed SMTP Login attempts... how to control?


>
>
> "I dont like the server playing their game either. I'd like to see it block an
> IP after a user defined number of failed SMTP logins."
>
> And thats just it. Wouldn't it be better to set up something where after "X"
> number of failed attempts that it locks/bans those IP's. I have friends all
> over Asia and the Pacific who would potentially be affected by locking a range
> of IP's unless they had specific static addresses that I could "trust".
> Unfortunately they don't.
>
>
>



  •  
DrFix

Messages: 13
Karma: 0
Send a private message to this user
But this option does exist!
In the SMTP Server tab, Security options, Mas number of unknown recipients...
I have this set to 3, and looking at the logs, we see the 3 failed attempts and then the Blocked message.


Yes, I know and I did the same thing long ago but evidently it isn't stopping this from happening. Why I don't understand. What you pointed out above is something I immediately looked for when first installing the product. Anyone else have an idea?

-David
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
The option "Max. number of unknown recipients" checks if an incoming mail message is trying to be sent to more than x unknown recipients. This results in a "directory harvest attack" in the security log.

It has nothing to do with the thing you are talking about. You are talking about SMTP authentication BEFORE receiving a mail which can't be blocked by Kerio.

It would be a nice feature to block an IP address after too many failed logon attempts for a day or so, but that's not in KMS (yet).

Regards, Pascal
Previous Topic: webmail/user signup
Next Topic: Default From address
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 14:06:01 CET 2017

Total time taken to generate the page: 0.00393 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.