When I have an account that is being password hacked, it goes into lockout as expected and I can get the IP address of the hacker if it is a pop or imap request; however, if the hacker is using a soap request (web interface or zimbra web client or desktop), the IP address logged in audit.log and mailbox.log is the address of the zimbra server, not the user.
How do I get the source IP address so I can block it in my firewall?
2008-08-13 07:01:47,930 WARN [btpool0-7] [ip=10.10.1.2;] security - cmd=Auth; firstname.lastname@example.org; protocol=soap; error=authentication failed for admin, account lockout;
2008-08-13 07:01:47,825 INFO [btpool0-7] [ip=10.10.1.2;] soap - AuthRequest
2008-08-13 07:01:47,930 INFO [btpool0-7] [ip=10.10.1.2;] SoapEngine - handler exception: authentication failed for admin, account lockout
Version: Release 5.0.7_GA_2444.UBUNTU6 UBUNTU6 FOSS edition