hub icon indicating copy to clipboard operation
hub copied to clipboard

Published 20 hours ago verified publisher icon crowdsecurity

Feature/New Collection for Axigen Mail Server

Open it-curmudgeon opened this issue 2 years ago • 3 comments

What would you like to be added?

Add a Bouncer, similar to Postfix and Dovecot, to parse syslog style Axigen mail logs (stored in /var/log/maillog [RHEL/CentOS]) looking for brute force and spam attacks.

Why is this needed?

Adds a layer of protection to another mail/webmail server.

it-curmudgeon avatar Jul 15 '22 20:07 it-curmudgeon

Hi,

We need a sample of logs to see what we can do.

Best regards,

sabban avatar Jul 18 '22 08:07 sabban

maillog.txt

Server maillog (sanitized and converted to .txt) attached

it-curmudgeon avatar Jul 19 '22 21:07 it-curmudgeon

Hi, In order to identify the origin IP of the failure/attack, we need it to be on a single line of log. To activate it in your logging you may try to enable the security log by changing the value of “enableSecurityLog” parameter from no to yes in Axigen configuration file (${AXIGEN_WORK_DIR}/run/axigen.cfg).

Note that a restart of Axigen service is required after the change.

Can you try this, do a few unsuccessful authentication attempts and provide us with the resulting logs? You should see lines containing a failure marker ("OP_FAIL" for example) and the IP on the same line

Regards

rr404 avatar Sep 05 '22 14:09 rr404