Results 1 to 5 of 5

Thread: Account lockout costantly

  1. #1
    Join Date
    Apr 2012
    Posts
    3
    Rep Power
    3

    Default Account lockout costantly

    Hello,
    I need some help ...
    In the last weeks I'm having costanlty problems with account lockouts,a least 5-6 a day
    The ip are always from the local network
    Code:
    2012-04-09 14:17:45,336 INFO  [btpool0-15871] [oip=192.168.1.33;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx@xxx.xxx; error=account lockout due to too many failed logins;
    2012-04-09 15:55:24,596 INFO  [btpool0-15971] [oip=192.168.1.185;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx@xxx.xxx; error=account lockout due to too many failed logins;
    2012-04-09 16:08:19,754 INFO  [btpool0-15967] [oip=192.168.1.136;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx@xxx.xxx; error=account lockout due to too many failed logins;
    2012-04-09 18:36:36,752 INFO  [btpool0-16038] [oip=192.168.1.125;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx@xxx.xxx; error=account lockout due to too many failed logins;
    2012-04-10 08:06:26,773 INFO  [btpool0-16121] [oip=192.168.1.33;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx@xxx.xxx; error=account lockout due to too many failed logins;
    2012-04-10 12:35:45,248 INFO  [btpool0-16358] [oip=192.168.1.125;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx@xxx.xxx; error=account lockout due to too many failed logins;
    
    2012-04-09 16:09:06,224 WARN  [btpool0-15969] [oip=192.168.104.136;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx; protocol=soap; error=authentication failed for xxxxx, account lockout;
    2012-04-09 18:36:46,548 WARN  [btpool0-16038] [oip=192.168.103.125;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx; protocol=soap; error=authentication failed for xxx, account lockout;
    
    2012-04-09 16:08:58,986 INFO  [btpool0-15981] [oip=192.168.1.136;ua=zclient/5.0.6_GA_2313.RHEL5;] SoapEngine - handler exception: authentication failed for xxxx, account lockout
    2012-04-09 16:09:06,337 INFO  [btpool0-15969] [oip=192.168.1.125;ua=zclient/5.0.6_GA_2313.RHEL5;] SoapEngine - handler exception: authentication failed for xxxx, account lockout
    Where I can find additional info about the cause of this and what it can be?
    Thank you




    I'm using Release 5.0.6_GA_2313.RHEL5_20080522104341 CentOS5 FOSS edition

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by Fr0ggy View Post
    Hello,
    I need some help ...
    In the last weeks I'm having costanlty problems with account lockouts,a least 5-6 a day
    The ip are always from the local network
    Code:
    2012-04-09 14:17:45,336 INFO  [btpool0-15871] [oip=192.168.1.33;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx@xxx.xxx; error=account lockout due to too many failed logins;
    2012-04-09 15:55:24,596 INFO  [btpool0-15971] [oip=192.168.1.185;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx@xxx.xxx; error=account lockout due to too many failed logins;
    2012-04-09 16:08:19,754 INFO  [btpool0-15967] [oip=192.168.1.136;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx@xxx.xxx; error=account lockout due to too many failed logins;
    2012-04-09 18:36:36,752 INFO  [btpool0-16038] [oip=192.168.1.125;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx@xxx.xxx; error=account lockout due to too many failed logins;
    2012-04-10 08:06:26,773 INFO  [btpool0-16121] [oip=192.168.1.33;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx@xxx.xxx; error=account lockout due to too many failed logins;
    2012-04-10 12:35:45,248 INFO  [btpool0-16358] [oip=192.168.1.125;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx@xxx.xxx; error=account lockout due to too many failed logins;
    
    2012-04-09 16:09:06,224 WARN  [btpool0-15969] [oip=192.168.104.136;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx; protocol=soap; error=authentication failed for xxxxx, account lockout;
    2012-04-09 18:36:46,548 WARN  [btpool0-16038] [oip=192.168.103.125;ua=zclient/5.0.6_GA_2313.RHEL5;] security - cmd=Auth; account=xxx; protocol=soap; error=authentication failed for xxx, account lockout;
    
    2012-04-09 16:08:58,986 INFO  [btpool0-15981] [oip=192.168.1.136;ua=zclient/5.0.6_GA_2313.RHEL5;] SoapEngine - handler exception: authentication failed for xxxx, account lockout
    2012-04-09 16:09:06,337 INFO  [btpool0-15969] [oip=192.168.1.125;ua=zclient/5.0.6_GA_2313.RHEL5;] SoapEngine - handler exception: authentication failed for xxxx, account lockout
    Where I can find additional info about the cause of this and what it can be?
    It tells you in the error messages why the account is locked (see the red highlighted text ib your log sample I've quoted above), as for the cause I'd guess you either have a user that's trying to login to those accounts repeatedly or there's a compromised machine at that LAN IP address - you need to fix that.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Apr 2012
    Posts
    3
    Rep Power
    3

    Default

    Thank you for the reply phoenix,
    I have found in the logs some bruteforce attacks trough the pop3 port.
    Is there a way to drop incoming connections from blacklisted ip adresses with rbls?
    I have blocked some ranges with iptables but it is not efficient.

    Thank you

  4. #4
    Join Date
    Jan 2012
    Posts
    7
    Rep Power
    3

    Default

    If it's an option for you, do what I do. Firewall pop and imap completely.. Make people use pop3s and imaps.

  5. #5
    Join Date
    Apr 2012
    Posts
    3
    Rep Power
    3

    Default

    Quote Originally Posted by jrmacarthur View Post
    If it's an option for you, do what I do. Firewall pop and imap completely.. Make people use pop3s and imaps.
    Unfortunately I cannot firewall those ports because of the expired certificates, I'll search for another solution

Similar Threads

  1. Replies: 1
    Last Post: 09-06-2011, 04:02 PM
  2. Immortal Account
    By bighorton in forum Administrators
    Replies: 0
    Last Post: 08-31-2011, 07:05 PM
  3. Account Lockout Message?
    By i2ambler in forum Administrators
    Replies: 1
    Last Post: 01-20-2011, 03:17 PM
  4. Replies: 3
    Last Post: 09-18-2007, 07:55 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •