Solved: Re: Login Attempt Source Address?

fyrefighter77 · ‎01-06-2010

Hi all,

Am I missing something really simple? Is there a way to see the source of a failed login attempt in the authentication logs on an IronPort C150?

For instance: Wed Jan 6 10:57:39 2010 Info: User XXX failed authentication.

steven_geerts · ‎01-24-2010

Hello Robert,

Did you try to set the logging level of your authentication logs to "debug"?

I'm not sure if the source address is noted but it logs a terrible lot of info. (in my case: I could retrieve the used LDAP authentication queries from the log for further testing)

Steven

View solution in original post

fyrefighter77 · ‎01-20-2010

It would seem that this is not a possibility.

steven_geerts · ‎01-24-2010

Hello Robert,

Did you try to set the logging level of your authentication logs to "debug"?

I'm not sure if the source address is noted but it logs a terrible lot of info. (in my case: I could retrieve the used LDAP authentication queries from the log for further testing)

Steven

fyrefighter77 · ‎01-28-2010

Hi Steven,

Thanks for the help, mate. I might be missing something here but setting the log level on the Authentication logs to debug then committing the changes doesn't display any more information than the informational log level. Was there something else that needed to be changed?

fsarwary · ‎01-28-2010

If you are referring to the SMTP authentication (which can also use LDAP) the connecting source would look as follows:

Authentication attempts made during inbound connections (in order to gain relay access) are logged in the mail_logs when successful and unsuccessful. All relevant entries will be associated with the ICID in question.

Successful:

Wed Apr 22 11:43:59 2009 Info: New SMTP ICID 450 interface IncomingMail (172.16.155.16) address 172.16.155.102 reverse dns host unknown verified no
Wed Apr 22 11:43:59 2009 Info: ICID 450 ACCEPT SG None match ALL SBRS None
Wed Apr 22 11:44:48 2009 Info: SMTP Auth: (ICID 450) succeeded for user: ironport using AUTH mechanism: PLAIN with profile: IncomingAuthentication
Wed Apr 22 11:46:14 2009 Info: ICID 450 close
Unsuccessful:

Wed Apr 22 11:47:30 2009 Info: New SMTP ICID 451 interface mail (172.16.155.16) address 172.16.155.102 reverse dns host unknown verified no
Wed Apr 22 11:47:30 2009 Info: ICID 451 ACCEPT SG None match ALL SBRS None
Wed Apr 22 11:47:47 2009 Info: SMTP Auth: (ICID 451) failed for user: ironport using AUTH mechanism: PLAIN with profile: IncomingAuthentication
Wed Apr 22 11:47:56 2009 Info: ICID 451 close

Outbound SMTP Authentication
When SMTP authentication is required for deliveries to a specific host (configured via an "Outgoing" SMTP authentication profile and an SMTP route referencing said profile), both successful and unsuccessful authentication attempts will be logged in the mail_logs. All entries will be associated with the DCID in question.

Successful:

Wed Apr 22 11:06:20 2009 Info: New SMTP DCID 5633 interface 172.16.155.16 address 172.16.155.102 port 25
Wed Apr 22 11:06:20 2009 Info: DCID: 5633 IP: 172.16.155.102 SMTP authentication using the profile OutboundAuthentication succeeded.
Wed Apr 22 11:06:20 2009 Info: Delivery start DCID 5633 MID 441 to RID [0]
Wed Apr 22 11:06:20 2009 Info: Message done DCID 5633 MID 441 to RID [0]
Wed Apr 22 11:06:25 2009 Info: DCID 5633 close
Unsuccessful:

Wed Apr 22 11:19:39 2009 Info: New SMTP DCID 5640 interface 172.16.155.16 address 172.16.155.102 port 25
Wed Apr 22 11:19:41 2009 Info: DCID: 5640 IP: 172.16.155.102 SMTP authentication using the profile OutboundAuthentication failed: ('535', ['5.7.8 Error: authentication failed: authentication failure'])
Wed Apr 22 11:19:41 2009 Info: Delivery start DCID 5640 MID 448 to RID [0]
Wed Apr 22 11:19:41 2009 Info: Bounced: DCID 5640 MID 448 to RID 0 - Bounced by destination server with response: 5.1.0 - Unknown address error ('554', ['5.7.1 <postmaster@example.com>: Relay access denied'])
Wed Apr 22 11:19:46 2009 Info: DCID 5640 close

fyrefighter77 · ‎01-28-2010

Negative sir. We're talking about two different log files.

Thanks for the reply!

fsarwary · ‎01-28-2010

So are you referring to the user authentication log when one tries to connect to the IronPort GUI?

If that is so the gui_logs show the detail whom tried to login and from where? Can you give me more details as to which log your referring to?

fyrefighter77 · ‎01-29-2010

It's the authentication logs. #4 as seen in the pic below. Typical lines of output will say:

Fri Jan 29 04:13:14 2010 Info: User XXX failed authentication.

Fri Jan 29 08:10:21 2010 Info: User XXX was authenticated successfully.

But nothing else. Seems to handle both GUI and CLI login attempts. What brought this up is at one point we saw a lot of failed login attempts in this log from what appeared to be a dictionary attack.

pvdberg00 · ‎01-29-2010

In that authentication log you can specify a different log level

Peter

__________________________________________________________________________________________

Log Level:

	Critical (The least detailed setting. Only errors are logged.)
	Warning (All errors and warnings created by the system.)
	Information (Captures the second-by-second operations of the system. Recommended.)
	Debug (More specific data are logged to help debug specific problems.)
	Trace (The most detailed setting, all information that can be is logged. Recommended for developers only.)

__________________________________________________________________________________________

fyrefighter77 · ‎01-29-2010

Hiya Peter,

Yeah, we did that and committed the changes. Only no additional information was shown in the log. Thus my message above "It would seem that this is not a possibility." I guess I was just hoping that I was missing something really stupid.

Thanks all!

pvdberg00 · ‎01-29-2010

Robert,

I think the best is to ask support. I have tried this on our testmachine and nothing more is logged.

Peter

fyrefighter77 · ‎01-29-2010

Thanks for confirming, Peter. I'll give the folks at support a call.

fsarwary · ‎01-29-2010

All logs via the CLI are logged in cli_logs. All GUI logs are logged in gui_logs. From what I gather, you are looking is in either one of the two gui_logs or cli_logs.
If someone was trying to attempt to login to the appliance. The Authentication log only will display if it was successful or not and the details of access via GUI and CLI are logged as I mentioned above.

fyrefighter77 · ‎01-29-2010

Hi Fraidoon,

Ahhhh, that makes sense. So simply look at the time of successful/unsuccessful login attempt in the Authentication log and try to see if there's a matching entry in either the CLI or GUI log for more information?

fsarwary · ‎01-29-2010

Hello Robert,

You are correct.