The values that should be available, would be:
- oClient.IPaddress
oClient.Port
oClient.Username
Not sure it's posted but this is one of the many new events I'd like to add at some point along with onloginfail onlogin among a few others. (Event names subject to change)RvdH wrote:I would love to have an eventhandler 'OnUserLoggedOn(oClient)' added that would made it (easily) possible for me to determine what user is connecting and how often on specific port, from some IPaddress as i have the feeling some clients are hammering my server, logging in every 30sec or so
The values that should be available, would be:
- oClient.IPaddress
oClient.Port
oClient.Username
Right I am referring to my experimental builds as I have no direct access to the official source (it's a fork of the official on github now) and I can't make official releases myself anyway. But adding events isn't exactly trivial & unlikely to happen any time soon unless my schedule loosens up a bit.RvdH wrote:Hi Bill48105,
Until those script events are added would it be possible for you to to add such features in your experimental builds?
I am thinking about logging to /Logs/userlogins.txt and there log all successful/failed login attempts (for all protocols and ports)
Example:
[2014-06-10 10:53:14]: Failed login for info@domainname.com.nl from 111.111.111.111 on port 25
[2014-06-10 10:53:32]: Successful login for info@domainname.com from 111.111.111.111 on port 465
RvdH
It helped only by implementing GeoIP, but I still needed this Event until now. Meanwhile I created a monitor service on the logfiles which fires an own event when some search patterns matched to log lines. So I can handle each connection and not only authenticated sessions or authentication failures. With this service I was able to implement a reputation db for each ip address remembering what it did on our server. This enables me to forecast the most connections and drop the su****s out before they can post anything.
Please explain why it is a security feature?estradis wrote:It is a security feature and security should always be implemented!
Authentication failures are always security events, don't you agree?mattg wrote:Please explain why it is a security feature?estradis wrote:It is a security feature and security should always be implemented!
Maybe you misunderstood me. GeoIP helped, but it cannot handle authentication events, so it was only a small part.mattg wrote:Please explain why the GeoIP doesn't work for you?estradis wrote:It helped only by implementing GeoIP
We work in an ITIL environment. For each change on the firewall (and anything else) I have to work almost three days to create a change request in first with no guarantee to get it permitted. On my mailserver I'm pre-authorized to all changings of definitions or scripts to fight against spammers and intruders. Only once a month I have to report a summary.mattg wrote:Please detail why you don't drop rubbish at your firewall...
Code: Select all
if (Configuration::Instance()->GetUseScriptServer())
{
shared_ptr<ScriptObjectContainer> pContainer = shared_ptr<ScriptObjectContainer>(new ScriptObjectContainer);
shared_ptr<Result> pResult = shared_ptr<Result>(new Result);
shared_ptr<ClientInfo> pClientInfo = shared_ptr<ClientInfo>(new ClientInfo);
pClientInfo->SetUsername(m_sUsername);
pClientInfo->SetIPAddress(GetIPAddressString());
pClientInfo->SetPort(GetLocalPort());
pClientInfo->SetHELO(m_sHeloHost);
pContainer->AddObject("HMAILSERVER_CLIENT", pClientInfo, ScriptObject::OTClient);
pContainer->AddObject("Result", pResult, ScriptObject::OTResult);
String sEventCaller = "OnUserLoggedOn(HMAILSERVER_CLIENT)";
ScriptServer::Instance()->FireEvent(ScriptServer::EventOnUserLoggedOn, sEventCaller, pContainer);
}
Not for a second.estradis wrote:Authentication failures are always security events, don't you agree?
SO you want me to run more code on my hmailserver (and every other user) so that you have less work / better outcomes..?estradis wrote:We work in an ITIL environment. For each change on the firewall (and anything else) I have to work almost three days to create a change request in first with no guarantee to get it permitted. On my mailserver I'm pre-authorized to all changings of definitions or scripts to fight against spammers and intruders. Only once a month I have to report a summary.mattg wrote:Please detail why you don't drop rubbish at your firewall...
Or in short words: I can handle it faster and easier on the mailserver.
This means the event won't come ever?mattg wrote:Not for a second.estradis wrote:Authentication failures are always security events, don't you agree?
many authentication failures are users getting their password wrong.
I use Autoban to manage this.
...
SO you want me to run more code on my hmailserver (and every other user) so that you have less work / better outcomes..?
Why don't you create your own branch of the source code to do what you need, then that won't affect what I do >> https://github.com/hmailserver/hmailserver
I voted yes, too. Regardless on other services running or not, the event would be a good trigger to react on time. (I observerd, that the logfile will sometimes be written delayed. In case of intrusion it might be to late!)RvdH wrote:I voted yes, but instead by doing this with a to be developed by event called something like: OnUserLoggedOn(oClient) i would settle by any method of logging these items separately. I don't care if it is by Script or done inside the actual server application itself
As I did. Thank you.mattg wrote:I've just added a voting panel to the original post
Please feel free to vote
Matt... Adding a script trigger to handle this would probably add 1-2 seconds of total execution time over a 10 year period - if you don't use the trigger... Effectively we are talking about an "IF" statementmattg wrote:SO you want me to run more code on my hmailserver (and every other user) so that you have less work / better outcomes..?