ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
http://www.forum.configserver.com/

message sent to admin

http://www.forum.configserver.com/viewtopic.php?t=3547

Page 1 of 1

message sent to admin

Posted: 21 May 2010, 14:06
by allnet4u
Hi

it will be great to see in the message sent from csf when a user is blocked for pop3 or whatever other attempts as this brute force attack

Time: Fri May 21 01:01:04 2010 -0400
IP: 218.78.209.235 (CN/China/-)
Failures: 3 (pop3d)
Interval: 300 seconds
Blocked: Yes

Log entries:

May 21 01:00:48 mail pop3d: LOGIN FAILED, user=admin, ip=[::ffff:218.78.209.235]
May 21 01:00:54 mail pop3d: LOGIN FAILED, user=test, ip=[::ffff:218.78.209.235]
May 21 01:00:59 mail pop3d: LOGIN FAILED, user=danny, ip=[::ffff:218.78.209.235]

where or what site the person tried to login
with this message, we have no glue on what site he is trying to login
then we will be able to check the site and the code (if any unsecure hole)

Thank you

Posted: 21 May 2010, 21:49
by Sergio
This will be great, add my vote.

Hello Sergio

Posted: 22 May 2010, 11:41
by allnet4u
Thanks for your support for my post

yes in fact this report give just info about someone trying to do what it is writted somewhere we don't know

the visitor is blocked but we don't know what was involved or where he came from

maybe configserver can explain how to add and if a variable may be added in the message we have access in the lfd/csf

so far no much answeers, will see

Regards
Patrick
allnet4u

Posted: 23 May 2010, 06:48
by Infopro
allnet4u wrote:Hi

it will be great to see in the message sent from csf when a user is blocked for pop3 or whatever other attempts as this brute force attack

Time: Fri May 21 01:01:04 2010 -0400
IP: 218.78.209.235 (CN/China/-)
Failures: 3 (pop3d)
Interval: 300 seconds
Blocked: Yes

Log entries:

May 21 01:00:48 mail pop3d: LOGIN FAILED, user=admin, ip=[::ffff:218.78.209.235]
May 21 01:00:54 mail pop3d: LOGIN FAILED, user=test, ip=[::ffff:218.78.209.235]
May 21 01:00:59 mail pop3d: LOGIN FAILED, user=danny, ip=[::ffff:218.78.209.235]

where or what site the person tried to login
with this message, we have no glue on what site he is trying to login
then we will be able to check the site and the code (if any unsecure hole)

Thank you
It's not a site, it's an email account that someone tried to login to and failed, got blocked.

Posted: 23 May 2010, 10:06
by chirpy
All the information that is available is in those log lines, so it's not possible to provide anything else.

HI

Posted: 23 May 2010, 10:35
by allnet4u
Infopro wrote:It's not a site, it's an email account that someone tried to login to and failed, got blocked.
sure I understand that, but as said in my message
it will be great to know on which account the user tried to login in
in some case it may be also FTP, ssh, or port 80

in this case, a referrer site will be usefull to know

Posted: 23 May 2010, 10:35
by allnet4u
chirpy wrote:All the information that is available is in those log lines, so it's not possible to provide anything else.
Thanks for your answeer
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited