Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Login Attempt Source Address?

Hi all,

Am I missing something really simple?  Is there a way to see the source of a failed login attempt in the authentication logs on an IronPort C150?

For instance:  Wed Jan  6 10:57:39 2010 Info: User XXX failed authentication.

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Login Attempt Source Address?

Hello Robert,

Did you try to set the logging level of your authentication logs to "debug"?

I'm not sure if the source address is noted but it logs a terrible lot of info. (in my case: I could retrieve the used LDAP authentication queries from the log for further testing)

Steven

20 REPLIES
Community Member

Re: Login Attempt Source Address?

It would seem that this is not a possibility.

Community Member

Re: Login Attempt Source Address?

Hello Robert,

Did you try to set the logging level of your authentication logs to "debug"?

I'm not sure if the source address is noted but it logs a terrible lot of info. (in my case: I could retrieve the used LDAP authentication queries from the log for further testing)

Steven

Community Member

Re: Login Attempt Source Address?

Hi Steven,

Thanks for the help, mate.  I might be missing something here but setting the log level on the Authentication logs to debug then committing the changes doesn't display any more information than the informational log level.  Was there something else that needed to be changed?

Community Member

Re: Login Attempt Source Address?

If you are referring to the SMTP authentication (which can also use LDAP) the connecting source would look as follows:

Authentication attempts made during inbound connections (in order to gain relay access) are logged in the mail_logs when successful and unsuccessful. All relevant entries will be associated with the ICID in question.

  • Successful:

    Wed Apr 22 11:43:59 2009 Info: New SMTP ICID 450 interface IncomingMail (172.16.155.16) address 172.16.155.102 reverse dns host unknown verified no
    Wed Apr 22 11:43:59 2009 Info: ICID 450 ACCEPT SG None match ALL SBRS None
    Wed Apr 22 11:44:48 2009 Info: SMTP Auth: (ICID 450) succeeded for user: ironport using AUTH mechanism: PLAIN with profile: IncomingAuthentication
    Wed Apr 22 11:46:14 2009 Info: ICID 450 close
  • Unsuccessful:

    Wed Apr 22 11:47:30 2009 Info: New SMTP ICID 451 interface mail (172.16.155.16) address 172.16.155.102 reverse dns host unknown verified no
    Wed Apr 22 11:47:30 2009 Info: ICID 451 ACCEPT SG None match ALL SBRS None
    Wed Apr 22 11:47:47 2009 Info: SMTP Auth: (ICID 451) failed for user: ironport using AUTH mechanism: PLAIN with profile: IncomingAuthentication
    Wed Apr 22 11:47:56 2009 Info: ICID 451 close

Outbound SMTP Authentication
When SMTP authentication is required for deliveries to a specific host (configured via an "Outgoing" SMTP authentication profile and an SMTP route referencing said profile), both successful and unsuccessful authentication attempts will be logged in the mail_logs. All entries will be associated with the DCID in question.

  • Successful:

    Wed Apr 22 11:06:20 2009 Info: New SMTP DCID 5633 interface 172.16.155.16 address 172.16.155.102 port 25
    Wed Apr 22 11:06:20 2009 Info: DCID: 5633 IP: 172.16.155.102 SMTP authentication using the profile OutboundAuthentication succeeded.
    Wed Apr 22 11:06:20 2009 Info: Delivery start DCID 5633 MID 441 to RID [0]
    Wed Apr 22 11:06:20 2009 Info: Message done DCID 5633 MID 441 to RID [0]
    Wed Apr 22 11:06:25 2009 Info: DCID 5633 close
  • Unsuccessful:

    Wed Apr 22 11:19:39 2009 Info: New SMTP DCID 5640 interface 172.16.155.16 address 172.16.155.102 port 25
    Wed Apr 22 11:19:41 2009 Info: DCID: 5640 IP: 172.16.155.102 SMTP authentication using the profile OutboundAuthentication failed: ('535', ['5.7.8 Error: authentication failed: authentication failure'])
    Wed Apr 22 11:19:41 2009 Info: Delivery start DCID 5640 MID 448 to RID [0]
    Wed Apr 22 11:19:41 2009 Info: Bounced: DCID 5640 MID 448 to RID 0 - Bounced by destination server with response: 5.1.0 - Unknown address error ('554', ['5.7.1 <postmaster@example.com>: Relay access denied'])
    Wed Apr 22 11:19:46 2009 Info: DCID 5640 close
Community Member

Re: Login Attempt Source Address?

Negative sir.  We're talking about two different log files.

Thanks for the reply!

Community Member

Re: Login Attempt Source Address?

So are you referring to the user authentication log when one tries to connect to the IronPort GUI?

If that is so the gui_logs show the detail whom tried to login and from where?  Can  you give me more details as to which log your referring to?

Community Member

Re: Login Attempt Source Address?

It's the authentication logs.  #4 as seen in the pic below.  Typical lines of output will say:

Fri Jan 29 04:13:14 2010 Info: User XXX failed authentication.

Fri Jan 29 08:10:21 2010 Info: User XXX was authenticated successfully.

But nothing else.  Seems to handle both GUI and CLI login attempts.  What brought this up is at one point we saw a lot of failed login attempts in this log from what appeared to be a dictionary attack.

Community Member

Re: Login Attempt Source Address?

In that authentication log you can specify a different log level

Peter

__________________________________________________________________________________________

Log Level:

Critical (The least detailed setting. Only errors are logged.)

Warning (All errors and warnings created by the system.)

Information (Captures the second-by-second operations of the system. Recommended.)

Debug (More specific data are logged to help debug specific problems.)

Trace (The most detailed setting, all information that can be is logged. Recommended for developers only.)

__________________________________________________________________________________________

Community Member

Re: Login Attempt Source Address?

Hiya Peter,

Yeah, we did that and committed the changes.  Only no additional information was shown in the log.  Thus my message above "It would seem that this is not a possibility."  I guess I was just hoping that I was missing something really stupid.

Thanks all!

Community Member

Re: Login Attempt Source Address?

Robert,

I think the best is to ask support. I have tried this on our testmachine and nothing more is logged.

Peter

Community Member

Re: Login Attempt Source Address?

Thanks for confirming, Peter.  I'll give the folks at support a call.

Community Member

Re: Login Attempt Source Address?

All logs via the CLI are logged in cli_logs. All GUI logs are logged in gui_logs.  From what I gather,   you are looking is in either one of the two gui_logs or cli_logs.
If someone was trying to attempt to login to the appliance. The Authentication log only will display if it was successful or not and the details of access via GUI and CLI are logged as I mentioned above.

Community Member

Re: Login Attempt Source Address?

Hi Fraidoon,

Ahhhh, that makes sense.  So simply look at the time of successful/unsuccessful login attempt in the Authentication log and try to see if there's a matching entry in either the CLI or GUI log for more information?

Community Member

Re: Login Attempt Source Address?

Hello Robert,

You are correct.

Community Member

Re: Login Attempt Source Address?

I think nothing is logged in the cli or gui logs. If there is please let us know via this.

Peter.

Community Member

Re: Login Attempt Source Address?

CLI example:

Fri Jan 29 09:28:27 2010 Info: PID 93074: User admin login from 192.168.3.56 on 10.92.152.77

GUI example:

Fri Jan 29 15:30:19 2010 Info: req:192.168.3.56 user:- id:eKV0321MgmA92WAlrkJb 200 GET /login HTTP/1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

Community Member

Re: Login Attempt Source Address?

Are there also entries about failed logons?

Peter.

Community Member

Re: Login Attempt Source Address?

You may want to look at external authentication. although this would be involving other aspect.

But most radius and ldap server will log failed attempts when configured properly.

And yes, Ironport should also provide this, even without external authentication.

Community Member

Re: Login Attempt Source Address?

Yes it will also log failed attempts.

Community Member

Re: Login Attempt Source Address?

Successful logins and their source IP are recorded in the cli_logs and gui_logs

Successful and unsuccessful logins are recorded in the authentication log.  However the source IP os not recorded.

The source IP of unsuccessful logins is recorded in one of the private log files.  There is probably a bug/FR for this to be visible appear in authentication logs.  Raise a ticket with Customer Support and nudge your SE.

923
Views
0
Helpful
20
Replies
CreatePlease to create content