GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » password guessing all 5 min
password guessing all 5 min [message #119639] Tue, 24 February 2015 21:14 Go to next message
dahuafschmied is currently offline  dahuafschmied
Messages: 38
Registered: October 2014
hi,

i have detected a case where "hacker" can guess passwords without being detected.
kerio kb: protecting-users-against-password-guessing-attacks-1439
this protection does not help.

in my case a ip address tries to guess the passwords of my users.
one try every 4-5 minutes for some days.

is there anything i can do against such attacks?

24/Feb/2015 19:39:14] Failed SMTP login from 62.141.44.18 with SASL method LOGIN.
SMTP: User student<_at_>domain.tld doesn't exist. Attempt from IP address 62.141.44.18.
Failed SMTP login from 62.141.44.18 with SASL method LOGIN.
[24/Feb/2015 19:48:09] SMTP: User student<_at_>domain.tld doesn't exist. Attempt from IP address 62.141.44.18.
[
Re: password guessing all 5 min [message #119644 is a reply to message #119639] Tue, 24 February 2015 22:03 Go to previous messageGo to next message
ksnyder
Messages: 557
Registered: August 2014
Location: USA
The sure way to do it would be to block the IP address (62.141.44.18) at your Firewall (is it the same IP address all the time?).

Another thing to try (no guarantee) is to add the offending IP address to a "Suspected Hackers" IP Address Group within Kerio Connect, then use a Custom Blacklist (http://kb.kerio.com/1172) to block your newly created "Suspected Hackers" IP Address Group. The reason I say "no guarantee" is that this feature appears to be designed to stop incoming messages from reaching user mailboxes when the sender IP address is a match. I'm not 100% if this would stop any authentication attempt from matching IP addresses or not, but it might be worth a try.


Ken Snyder
Re: password guessing all 5 min [message #119645 is a reply to message #119644] Tue, 24 February 2015 22:11 Go to previous messageGo to next message
dahuafschmied is currently offline  dahuafschmied
Messages: 38
Registered: October 2014
thank you.

i blockt the ip at my firewall.
spam blacklist is not stopping logins attempts. i tried this already.

i would search for a automated solution. for example configureable login retries count and time before blocking.
Re: password guessing all 5 min [message #119646 is a reply to message #119645] Tue, 24 February 2015 22:59 Go to previous messageGo to next message
ksnyder
Messages: 557
Registered: August 2014
Location: USA
Excellent - thanks for confirming that the blacklist didn't stop the login attempts. Helpful to have this confirmed in the thread.

I like your suggestion and would encourage you to add it via the User Voice process (Admin --> Dashboard --> Suggest Idea).


Ken Snyder
Re: password guessing all 5 min [message #119703 is a reply to message #119639] Thu, 26 February 2015 20:57 Go to previous messageGo to next message
vomsupport is currently offline  vomsupport
Messages: 80
Registered: October 2008
Set up fail2ban to scan the maillogs and block password guesses

http://aplawrence.com/Kerio/fail2ban.html
Re: password guessing all 5 min [message #119751 is a reply to message #119703] Tue, 03 March 2015 12:28 Go to previous messageGo to next message
Grabsteinschubser is currently offline  Grabsteinschubser
Messages: 64
Registered: May 2013
Location: Berlin
I think this is a bit more comprehensive how-to: https://www.grabsteinschubser.de/2015/01/30/kerio-connect-un d-fail2ban/

It's in German, I put there some example filters and describe how to unblock accidentally blocked IP addresses. May be it's useful Smile
Re: password guessing all 5 min [message #150629 is a reply to message #119751] Sun, 12 December 2021 10:36 Go to previous messageGo to next message
Wilco is currently offline  Wilco
Messages: 104
Registered: July 2005
Location: The Netherlands
Quote:
I think this is a bit more comprehensive how-to: https://www.grabsteinschubser.de/2015/01/30/kerio-connect-un d-fail2ban/
Link no longer exist.


Kerio Connect 9.4.2 on Windows Server 2022 (Dutch)
Re: password guessing all 5 min [message #150630 is a reply to message #150629] Sun, 12 December 2021 11:12 Go to previous message
mistamilla is currently offline  mistamilla
Messages: 43
Registered: March 2010
Location: Switzerland

He has moved to another site: https://arne.schadagies.eu/2015/01/30/kerio-connect-und-fail2ban/

KerioConnect Server 9.4.1, Mac mini M1 (8G/512G), macOS 12.x | KerioConnect Server 9.4.1 SaaS, VM Debian GNU/Linux 11.2 | KerioConnect Server 9.4.1, Mac mini i7 (32G/2T), macOS 12.x | …
Previous Topic: ALL Users' Inboxes "busy"
Next Topic: Subfolder Name
Goto Forum:
  


Current Time: Thu Oct 06 15:28:59 CEST 2022

Total time taken to generate the page: 0.02283 seconds