Login Attempt Source Address?

Answered Question
Jan 6th, 2010

Hi all,


Am I missing something really simple?  Is there a way to see the source of a failed login attempt in the authentication logs on an IronPort C150?


For instance:  Wed Jan  6 10:57:39 2010 Info: User XXX failed authentication.

Correct Answer by steven_geerts about 7 years 1 month ago


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hello Robert,


Did you try to set the logging level of your authentication logs to "debug"?

I'm not sure if the source address is noted but it logs a terrible lot of info. (in my case: I could retrieve the used LDAP authentication queries from the log for further testing)


Steven

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
steven_geerts Sun, 01/24/2010 - 15:17


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hello Robert,


Did you try to set the logging level of your authentication logs to "debug"?

I'm not sure if the source address is noted but it logs a terrible lot of info. (in my case: I could retrieve the used LDAP authentication queries from the log for further testing)


Steven

fyrefighter77 Thu, 01/28/2010 - 05:40

Hi Steven,


Thanks for the help, mate.  I might be missing something here but setting the log level on the Authentication logs to debug then committing the changes doesn't display any more information than the informational log level.  Was there something else that needed to be changed?

fsarwary Thu, 01/28/2010 - 12:30

If you are referring to the SMTP authentication (which can also use LDAP) the connecting source would look as follows:


Authentication attempts made during inbound connections (in order to gain relay access) are logged in the mail_logs when successful and unsuccessful. All relevant entries will be associated with the ICID in question.

  • Successful:

    Wed Apr 22 11:43:59 2009 Info: New SMTP ICID 450 interface IncomingMail (172.16.155.16) address 172.16.155.102 reverse dns host unknown verified no
    Wed Apr 22 11:43:59 2009 Info: ICID 450 ACCEPT SG None match ALL SBRS None
    Wed Apr 22 11:44:48 2009 Info: SMTP Auth: (ICID 450) succeeded for user: ironport using AUTH mechanism: PLAIN with profile: IncomingAuthentication
    Wed Apr 22 11:46:14 2009 Info: ICID 450 close
  • Unsuccessful:

    Wed Apr 22 11:47:30 2009 Info: New SMTP ICID 451 interface mail (172.16.155.16) address 172.16.155.102 reverse dns host unknown verified no
    Wed Apr 22 11:47:30 2009 Info: ICID 451 ACCEPT SG None match ALL SBRS None
    Wed Apr 22 11:47:47 2009 Info: SMTP Auth: (ICID 451) failed for user: ironport using AUTH mechanism: PLAIN with profile: IncomingAuthentication
    Wed Apr 22 11:47:56 2009 Info: ICID 451 close


Outbound SMTP Authentication
When SMTP authentication is required for deliveries to a specific host (configured via an "Outgoing" SMTP authentication profile and an SMTP route referencing said profile), both successful and unsuccessful authentication attempts will be logged in the mail_logs. All entries will be associated with the DCID in question.

fyrefighter77 Thu, 01/28/2010 - 12:36

Negative sir.  We're talking about two different log files.


Thanks for the reply!

fsarwary Thu, 01/28/2010 - 14:16

So are you referring to the user authentication log when one tries to connect to the IronPort GUI?


If that is so the gui_logs show the detail whom tried to login and from where?  Can  you give me more details as to which log your referring to?

fyrefighter77 Fri, 01/29/2010 - 05:14

It's the authentication logs.  #4 as seen in the pic below.  Typical lines of output will say:


Fri Jan 29 04:13:14 2010 Info: User XXX failed authentication.

Fri Jan 29 08:10:21 2010 Info: User XXX was authenticated successfully.


But nothing else.  Seems to handle both GUI and CLI login attempts.  What brought this up is at one point we saw a lot of failed login attempts in this log from what appeared to be a dictionary attack.


pvdberg00 Fri, 01/29/2010 - 05:36

In that authentication log you can specify a different log level


Peter

__________________________________________________________________________________________


Log Level:


Critical (The least detailed setting. Only errors are logged.)

Warning (All errors and warnings created by the system.)

Information (Captures the second-by-second operations of the system. Recommended.)

Debug (More specific data are logged to help debug specific problems.)

Trace (The most detailed setting, all information that can be is logged. Recommended for developers only.)

__________________________________________________________________________________________

fyrefighter77 Fri, 01/29/2010 - 05:39

Hiya Peter,


Yeah, we did that and committed the changes.  Only no additional information was shown in the log.  Thus my message above "It would seem that this is not a possibility."  I guess I was just hoping that I was missing something really stupid.


Thanks all!

pvdberg00 Fri, 01/29/2010 - 05:48

Robert,


I think the best is to ask support. I have tried this on our testmachine and nothing more is logged.


Peter

fsarwary Fri, 01/29/2010 - 11:06

All logs via the CLI are logged in cli_logs. All GUI logs are logged in gui_logs.  From what I gather,   you are looking is in either one of the two gui_logs or cli_logs.
If someone was trying to attempt to login to the appliance. The Authentication log only will display if it was successful or not and the details of access via GUI and CLI are logged as I mentioned above.

fyrefighter77 Fri, 01/29/2010 - 11:10

Hi Fraidoon,


Ahhhh, that makes sense.  So simply look at the time of successful/unsuccessful login attempt in the Authentication log and try to see if there's a matching entry in either the CLI or GUI log for more information?

pvdberg00 Fri, 01/29/2010 - 12:03

I think nothing is logged in the cli or gui logs. If there is please let us know via this.


Peter.

fsarwary Fri, 01/29/2010 - 15:56

CLI example:


Fri Jan 29 09:28:27 2010 Info: PID 93074: User admin login from 192.168.3.56 on 10.92.152.77



GUI example:


Fri Jan 29 15:30:19 2010 Info: req:192.168.3.56 user:- id:eKV0321MgmA92WAlrkJb 200 GET /login HTTP/1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

mychrislo Sun, 02/07/2010 - 21:56

You may want to look at external authentication. although this would be involving other aspect.

But most radius and ldap server will log failed attempts when configured properly.


And yes, Ironport should also provide this, even without external authentication.

jamesnoad Wed, 02/10/2010 - 08:33

Successful logins and their source IP are recorded in the cli_logs and gui_logs

Successful and unsuccessful logins are recorded in the authentication log.  However the source IP os not recorded.

The source IP of unsuccessful logins is recorded in one of the private log files.  There is probably a bug/FR for this to be visible appear in authentication logs.  Raise a ticket with Customer Support and nudge your SE.

Actions

This Discussion