When I have an account that is being password hacked, it goes into lockout as expected and I can get the IP address of the hacker if it is a pop or imap request; however, if the hacker is using a soap request (web interface or zimbra web client or desktop), the IP address logged in audit.log and mailbox.log is the address of the zimbra server, not the user.

How do I get the source IP address so I can block it in my firewall?

Scott Hardin


From audit.log:
2008-08-13 07:01:47,930 WARN [btpool0-7] [ip=;] security - cmd=Auth; account=admin@domainname.com; protocol=soap; error=authentication failed for admin, account lockout;

From mailbox.log:
2008-08-13 07:01:47,825 INFO [btpool0-7] [ip=;] soap - AuthRequest
2008-08-13 07:01:47,930 INFO [btpool0-7] [ip=;] SoapEngine - handler exception: authentication failed for admin, account lockout

Version: Release 5.0.7_GA_2444.UBUNTU6 UBUNTU6 FOSS edition