Results 1 to 5 of 5

Thread: Where is the log showing IPs of access attempts?

  1. #1
    Join Date
    Apr 2014
    Posts
    6
    Rep Power
    1

    Exclamation Where is the log showing IPs of access attempts?

    I have one account that is under attack from someone trying to log in to it.
    They system is working great and setting the account to 'locked out' but I need to find out where the attacker is so I can firewall them.

    I looked in the /var/log/auth.log file and I see the attempts but it does not show the persons IP address.
    What log shows the IP used to try to log in to an account?

  2. #2
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    336
    Rep Power
    7

    Default

    Check /opt/zimbra/log/audit.log. If you're using Zimbra's proxy servers in a multi-server environment, you'll have to check /opt/zimbra/log/nginx.log

    If its an SMTP transaction, you'll have to check /var/log/maillog on one of your MTAs.

    If you have the proxy/SMTP servers behind a load balancer - then you may have issues tracking the IP down...
    ---
    Paul Chauvet
    State University of New York at New Paltz

  3. #3
    Join Date
    Apr 2014
    Posts
    6
    Rep Power
    1

    Default

    Thanks, I know it is a Monday now.
    I was looking in /var/log not /opt/zimbra/log/

  4. #4
    Join Date
    Apr 2014
    Posts
    6
    Rep Power
    1

    Default

    Ok one more question.
    I am now able to watch everyone as they log in with their clients, how ever if they log on the web portal to get their mail it is only showing the IP if the Zimbra server. I do not see any logs for Apache. Is there a different file I can look in to to see what IP they are using to try to log in on the web site?

  5. #5
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    336
    Rep Power
    7

    Default

    As mentioned in my last post:

    If you're using Zimbra's proxy servers in a multi-server environment, you'll have to check /opt/zimbra/log/nginx.log

    Even if you're not in a multi-server environment, if you installed the Zimbra proxy, then it will pass through there first.
    ---
    Paul Chauvet
    State University of New York at New Paltz

Similar Threads

  1. Login Attempts - Source IP?
    By thunder04 in forum Administrators
    Replies: 0
    Last Post: 03-28-2014, 08:21 AM
  2. SOAP invalid password attempts
    By jdz in forum Administrators
    Replies: 3
    Last Post: 07-15-2013, 07:05 AM
  3. Hacking attempts lock out user
    By rusty in forum Administrators
    Replies: 11
    Last Post: 05-21-2012, 01:59 PM
  4. Three install attempts ZD beta 2
    By stephenl in forum Installation Help
    Replies: 11
    Last Post: 12-11-2010, 08:28 AM
  5. Are these login attempts a potential hacker?
    By Jakobud in forum Administrators
    Replies: 2
    Last Post: 03-23-2010, 01:25 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •