Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.

GWIA logging improvement for IMAP logins

Idea ID 2704280

GWIA logging improvement for IMAP logins

Our GWIAs are (were) under constant brute force attacks from the internet. We've got over 3000 mailbox lockout over IMAP protocol every day. So I went ahead and tried to write a small script to find the IP address of those attackers and block them for a day or so. This turned out to be impossible, because at the moment it is very cumbersome to get the information of a failed login attempt in GWIA logs. The fact that somebody used a wrong password, the username and the source IP address are separated in three different log lines or even in different log files. Without further detailed information about the logging mechanism of the GWIA it is impossible for me to write such a script. So I changed my approach and blocked every IP address except my own country. This stopped the brute force attacks and the number of mailbox lockouts dropped to zero per day, but this is just a temporary solution. Sooner or later the bad buys will find out that they have to use an IP address of my own country to continue with their suspicious activity. There are many good ideas on the portal to revolutionize the GWIA or the logging. I assume those are hard to implement and this is why they are not even marked for planned. My idea is just a small change in the logging of GWIA. I hope it is easy to implement and will be picked by the product managers. So please put these information in one line in the GWIA log for IMAP requests: timestamp, username, connection IP address and login result. For example: 10:11:12 UserA ::ffff:10.11.12.13 Successful authentication 10:11:12 UserA ::ffff:10.11.12.13 Invalid password 10:11:12 UserA ::ffff:10.11.12.13 Intruder lockout With these informations it could me much easier to create an own firewall script to block attackers, or even attach GW to another 3rd party log analyser like Sentinel.

2 Comments
Community Manager COEST Community Manager
Community Manager
Status changed to: Waiting for Votes
 
Community Manager COEST Community Manager
Community Manager
Status changed to: Waiting for Votes
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.