Capturing attempted logins ????

Use this forum if you have problems with a hMailServer script, such as hMailServer WebAdmin or code in an event handler.
Post Reply
palinka
Senior user
Senior user
Posts: 2181
Joined: 2017-09-12 17:57

Capturing attempted logins ????

Post by palinka » 2020-08-27 14:24

I want to capture failed logons to a log, but I'm not getting anything.

Code: Select all

Sub OnClientLogon(oClient)
	If oClient.Authenticated Then
	'
	' Stuff that works fine
	'
	Else
		dim strRegEx : strRegEx = "@mydomain\.tld"
		If Lookup(strRegEx, oClient.Username) Then
			'
			' More stuff that works fine
			'
		Else
			EventLog.Write("Failed non-local logon: " & oClient.IPAddress & ":" & oClient.Port)  '<<=== NEVER CAPTURES ANYTHING
		End If
	End if
End Sub

I guess that oClient.Authenticated only works for actual users? What could be used to capture a list of password guessers?

User avatar
SorenR
Senior user
Senior user
Posts: 3830
Joined: 2006-08-21 15:38
Location: Denmark

Re: Capturing attempted logins ????

Post by SorenR » 2020-08-27 17:19

I occationally get a Brute-Force bot (no AUTH on port 25 and IMAP is SSL only) but most of the time it's my users having a blond moment ;-)

Code: Select all

    If oClient.Authenticated Then
        Exit Sub
    Else
        EventLog.Write( LPad("AUTH FAIL", 15, " ") & vbTab & LPad(oClient.IPAddress, 16, " ") & vbTab & LPad(" ", 3, " ") & vbTab & LPad(" ", 16, " ") & vbTab & oClient.Username )
    End If
Non-existing users I don't remember seeing ... Perhaps you need to tail the log to find them.
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
RvdH
Senior user
Senior user
Posts: 1137
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Capturing attempted logins ????

Post by RvdH » 2020-08-27 21:57

I only log invalid logins, both port and ip address are logged correctly, and in my logs i really do see some non-existent usernames from time to time

Example code snippet:

Code: Select all

Sub OnClientLogon(oClient)
	If Not oClient.Authenticated then
		EventLog.Write("WARN: Failed login for " & oClient.Username & " from " & oClient.IpAddress & " on port: " & oClient.Port)
	End if
End Sub
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3830
Joined: 2006-08-21 15:38
Location: Denmark

Re: Capturing attempted logins ????

Post by SorenR » 2020-08-28 00:22

RvdH wrote:
2020-08-27 21:57
I only log invalid logins, both port and ip address are logged correctly, and in my logs i really do see some non-existent usernames from time to time

Example code snippet:

Code: Select all

Sub OnClientLogon(oClient)
	If Not oClient.Authenticated then
		EventLog.Write("WARN: Failed login for " & oClient.Username & " from " & oClient.IpAddress & " on port: " & oClient.Port)
	End if
End Sub
I just had a go at it with my webmail ... "carrot.top@la-la.land" do show as a failed login in my custom log so Sub OnClientLogon(oClient) do catch non-existing IMAP users. I presume the same is true for SMTP :wink:

I think I'll move my GEO blocking to Sub OnClientLogon(oClient) :mrgreen:
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
mattg
Moderator
Moderator
Posts: 21108
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Capturing attempted logins ????

Post by mattg » 2020-08-28 00:50

That's where I've been doing it for years

I get dozens a day that are TRYING to AUTH on non-SMTP ports
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 2181
Joined: 2017-09-12 17:57

Re: Capturing attempted logins ????

Post by palinka » 2020-08-28 01:15

SorenR wrote:
2020-08-28 00:22
I just had a go at it with my webmail ... "carrot.top@la-la.land" do show as a failed login in my custom log so Sub OnClientLogon(oClient) do catch non-existing IMAP users. I presume the same is true for SMTP :wink:

I think I'll move my GEO blocking to Sub OnClientLogon(oClient) :mrgreen:
Huh... That worked - it showed up in the event log. So I guess it just doesn't pick up SMTP?

Good idea moving geo blocking. I'm going to look into that. :D

palinka
Senior user
Senior user
Posts: 2181
Joined: 2017-09-12 17:57

Re: Capturing attempted logins ????

Post by palinka » 2020-08-28 02:09

I looked in my custom db log for all failed logins NOT with my domains and there are only 14 hits in the past year and all of them are on IMAP ports. Its been working the entire time, its just that these logins are extremely rare.

That's not the case for SMTP, however. There are tons of those every day. Either OnClientLogon just doesn't capture them or oClient.Authenticated doesn't.

User avatar
katip
Senior user
Senior user
Posts: 779
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Capturing attempted logins ????

Post by katip » 2020-08-28 05:49

my script parses every 5 minutes current SMTP_Log and gets IPs from lines containing:

Code: Select all

"SENT: 504"	'auth attempt on port 25
"SENT: 550"	'unknown local recipient, may be address harvesting
"SENT: 535" 'failed logon due to bad passw, same as built-in autoban
"SENT: 530"	'relay attempt
if an IP has produced x (10 in my case) times one of those lines it gets added to autoban.
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
SorenR
Senior user
Senior user
Posts: 3830
Joined: 2006-08-21 15:38
Location: Denmark

Re: Capturing attempted logins ????

Post by SorenR » 2020-08-28 12:08

palinka wrote:
2020-08-28 02:09
I looked in my custom db log for all failed logins NOT with my domains and there are only 14 hits in the past year and all of them are on IMAP ports. Its been working the entire time, its just that these logins are extremely rare.

That's not the case for SMTP, however. There are tons of those every day. Either OnClientLogon just doesn't capture them or oClient.Authenticated doesn't.
How many failed logins on SMTP get past your GEO blocking and HELO/EHLO filtering? I have AutoBan on failed login set to 1 (yeah I know :mrgreen: ) and I NEVER see any funny ones in my banned range...
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

palinka
Senior user
Senior user
Posts: 2181
Joined: 2017-09-12 17:57

Re: Capturing attempted logins ????

Post by palinka » 2020-08-28 15:32

SorenR wrote:
2020-08-28 12:08
How many failed logins on SMTP get past your GEO blocking and HELO/EHLO filtering? I have AutoBan on failed login set to 1 (yeah I know :mrgreen: ) and I NEVER see any funny ones in my banned range...
Good point. Very few get past my filters. And how would I know anyway? If they get picked up by my filters, they get banned to the firewall. Autoban is only 1 hour, so unless I'm watching all day long, I'd never even know. They expire before I can look. Right now I only have 2 autobans, both for geo blocking.

But then again, my filters are more geared toward blocking spam, not password attacks, and they mosly operate exclusively on port 25. Geoblocking is one of the only ones that looks at all ports.

I just looked in my db log. On May 2-4 I was under dictionary attack. They all used [127.0.0.1] as HELO, so I searched for that on May 3 and came up with 1,100+ hits. Most were denied by geoip. Then I searched for the same thing except with "accepted" status (a note that goes in the log each time a log event is triggered - the opposite of rejected) and found only 28 hits. These were clearly part of a dictionary attack on port 587. I log the port too. I can get lots of information this way, but I can't search specifically for failed logons except for IMAP ones.

Logging these failed logons was more out of curiosity. My database log and firewall ban are both great for providing statistics and looking for trends.

User avatar
RvdH
Senior user
Senior user
Posts: 1137
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Capturing attempted logins ????

Post by RvdH » 2020-08-31 18:41

palinka wrote:
2020-08-28 02:09
I looked in my custom db log for all failed logins NOT with my domains and there are only 14 hits in the past year and all of them are on IMAP ports. Its been working the entire time, its just that these logins are extremely rare.

That's not the case for SMTP, however. There are tons of those every day. Either OnClientLogon just doesn't capture them or oClient.Authenticated doesn't.
I disabled AUTH on port 25, but a simple telnet connection to my mailserver on port 587 using a invalid username produces this (like it should) for SMTP
5088 "2020-08-31 18:37:27.521" "Failed login for username.com from xxx.xxx.xxx.xxx on port 587"
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 2181
Joined: 2017-09-12 17:57

Re: Capturing attempted logins ????

Post by palinka » 2020-09-01 00:38

RvdH wrote:
2020-08-31 18:41
palinka wrote:
2020-08-28 02:09
I looked in my custom db log for all failed logins NOT with my domains and there are only 14 hits in the past year and all of them are on IMAP ports. Its been working the entire time, its just that these logins are extremely rare.

That's not the case for SMTP, however. There are tons of those every day. Either OnClientLogon just doesn't capture them or oClient.Authenticated doesn't.
I disabled AUTH on port 25, but a simple telnet connection to my mailserver on port 587 using a invalid username produces this (like it should) for SMTP
5088 "2020-08-31 18:37:27.521" "Failed login for username.com from xxx.xxx.xxx.xxx on port 587"
I tried that and it didn't work.

Code: Select all

C:\Users\User>telnet mydomain.tld 587 
220 mydomain.tld
HELO local.domain.com
250 Hello.
MAIL FROM: dingle@berry.com
250 OK
RCPT TO: someone@gmail.com
550 Delivery is not allowed to this address.

Code: Select all

"TCPIP"	9728	"2020-08-31 17:55:28.337"	"TCP - 192.168.99.1 connected to 192.168.99.2:587."
"DEBUG"	9728	"2020-08-31 17:55:28.352"	"TCP connection started for session 8818"
"SMTPD"	9728	8818	"2020-08-31 17:55:28.352"	"192.168.99.1"	"SENT: 220 mydomain.tld"
"SMTPD"	8028	8818	"2020-08-31 17:55:51.308"	"192.168.99.1"	"RECEIVED: HELO local.domain.com"
"SMTPD"	8028	8818	"2020-08-31 17:55:51.324"	"192.168.99.1"	"SENT: 250 Hello."
"SMTPD"	9104	8818	"2020-08-31 17:56:18.453"	"192.168.99.1"	"RECEIVED: MAIL FROM: dingle@berry.com"
"TCPIP"	9104	"2020-08-31 17:56:18.515"	"DNS lookup: 1.99.168.192.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP"	9104	"2020-08-31 17:56:18.593"	"DNS lookup: 1.99.168.192.bl.spamcop.net, 0 addresses found: (none), Match: False"
"TCPIP"	9104	"2020-08-31 17:56:18.609"	"DNS lookup: 1.99.168.192.ubl.unsubscore.com, 0 addresses found: (none), Match: False"
"TCPIP"	9104	"2020-08-31 17:56:19.407"	"DNS lookup: 1.99.168.192.torexit.dan.me.uk, 0 addresses found: (none), Match: False"
"DEBUG"	9104	"2020-08-31 17:56:19.407"	"Spam test: SpamTestDNSBlackLists, Score: 0"
"TCPIP"	9104	"2020-08-31 17:56:19.407"	"DNS - Query failure. Query: local.domain.com, Type: 1, DnsQuery return value: 9560."
"TCPIP"	9104	"2020-08-31 17:56:19.407"	"DNS - Query failure. Query: local.domain.com, Type: 28, DnsQuery return value: 9560."
"TCPIP"	9104	"2020-08-31 17:56:19.407"	"DNS - Query failure. Query: local.domain.com, Type: 5, DnsQuery return value: 9560."
"DEBUG"	9104	"2020-08-31 17:56:19.407"	"Spam test: SpamTestHeloHost, Score: 0"
"DEBUG"	9104	"2020-08-31 17:56:19.438"	"Spam test: SpamTestMXRecords, Score: 2"
"DEBUG"	9104	"2020-08-31 17:56:19.500"	"Spam test: SpamTestSPF, Score: 0"
"DEBUG"	9104	"2020-08-31 17:56:19.500"	"Total spam score: 2"
"SMTPD"	9104	8818	"2020-08-31 17:56:19.500"	"192.168.99.1"	"SENT: 250 OK"
"SMTPD"	1636	8818	"2020-08-31 17:56:42.375"	"192.168.99.1"	"RECEIVED: RCPT TO: someone@gmail.com"
"SMTPD"	1636	8818	"2020-08-31 17:56:42.375"	"192.168.99.1"	"SENT: 550 Delivery is not allowed to this address."
"DEBUG"	1636	"2020-08-31 17:56:42.375"	"AWStats::LogDeliveryFailure"

Nothing in my custom log or hmailserver event log.

User avatar
mattg
Moderator
Moderator
Posts: 21108
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Capturing attempted logins ????

Post by mattg » 2020-09-01 08:19

but you didn't try to AUTH

what are the SSL and TCP-IP settings for port 587 @palinka
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 1137
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Capturing attempted logins ????

Post by RvdH » 2020-09-01 09:19

mattg wrote:
2020-09-01 08:19
but you didn't try to AUTH

what are the SSL and TCP-IP settings for port 587 @palinka
no wonder it doesn't work :lol:

You have to send the AUTH LOGIN command to login like mattg said
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 2181
Joined: 2017-09-12 17:57

Re: Capturing attempted logins ????

Post by palinka » 2020-09-01 23:56

RvdH wrote:
2020-09-01 09:19
mattg wrote:
2020-09-01 08:19
but you didn't try to AUTH

what are the SSL and TCP-IP settings for port 587 @palinka
no wonder it doesn't work :lol:

You have to send the AUTH LOGIN command to login like mattg said
:lol: :oops:

Well, I just tried using powershell - a working script that I intentionally fudged the logon address and password and it worked.

8768 "2020-09-01 17:40:08.006" "Failed non-local logon: 127.0.0.1:587"

Also came up in my custom log.

Huh. So it works. Now I'm really curious as to why I'm not subject to password guessers. I searched my custom log for failed logons on port 587: 4 Hits. One of them is the one that just got entered in the test. One must be a bad password while testing a script (local). So only 2 "in the wild" since I set this up a year ago. I ran another search on 465 and there was one "in the wild" hit.

Only 3 in a whole year? Does that seem strange?

User avatar
SorenR
Senior user
Senior user
Posts: 3830
Joined: 2006-08-21 15:38
Location: Denmark

Re: Capturing attempted logins ????

Post by SorenR » 2020-09-02 00:21

palinka wrote:
2020-09-01 23:56
RvdH wrote:
2020-09-01 09:19
mattg wrote:
2020-09-01 08:19
but you didn't try to AUTH

what are the SSL and TCP-IP settings for port 587 @palinka
no wonder it doesn't work :lol:

You have to send the AUTH LOGIN command to login like mattg said
:lol: :oops:

Well, I just tried using powershell - a working script that I intentionally fudged the logon address and password and it worked.

8768 "2020-09-01 17:40:08.006" "Failed non-local logon: 127.0.0.1:587"

Also came up in my custom log.

Huh. So it works. Now I'm really curious as to why I'm not subject to password guessers. I searched my custom log for failed logons on port 587: 4 Hits. One of them is the one that just got entered in the test. One must be a bad password while testing a script (local). So only 2 "in the wild" since I set this up a year ago. I ran another search on 465 and there was one "in the wild" hit.

Only 3 in a whole year? Does that seem strange?
Remove ALL the other stuff you have in your eventhandler and tell us again in 6 months how many failed logons you have :mrgreen:
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

palinka
Senior user
Senior user
Posts: 2181
Joined: 2017-09-12 17:57

Re: Capturing attempted logins ????

Post by palinka » 2020-09-02 01:17

SorenR wrote:
2020-09-02 00:21
Remove ALL the other stuff you have in your eventhandler and tell us again in 6 months how many failed logons you have :mrgreen:
Why not? You've never steered me wrong before! :mrgreen:

Post Reply