MarkDissington Outstanding Contributor.
Outstanding Contributor.
1134 views

POA authentication attempts

Hi all,

I'm trying to work out what vector is causing these authentication attempts to appear on our GroupWise 14.2.2 server:

4DC8 C/S Login Linux ::GW Id=xxxxxxxxxxxxxxx:: 10.0.0.206 [::ffff:10.0.0.206]

The IP address is our server which also hosts webaccess. Could it be mobility trying to use GroupWise auth? I'm struggling to see anything else attempting to hit the server during the same time frame.

TIA,
Mark.
Labels (1)
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: POA authentication attempts

On 06.12.2018 13:44, MarkDissington wrote:
>
> Hi all,
>
> I'm trying to work out what vector is causing these authentication
> attempts to appear on our GroupWise 14.2.2 server:
>
> 4DC8 C/S Login Linux ::GW Id=xxxxxxxxxxxxxxx:: 10.0.0.206
> [::ffff:10.0.0.206]
>
> The IP address is our server which also hosts webaccess.


Can't be webaccess, it would show a soap login then.

> Could it be
> mobility trying to use GroupWise auth?


No.

> I'm struggling to see anything
> else attempting to hit the server during the same time frame.


GWIA?

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
MarkDissington Outstanding Contributor.
Outstanding Contributor.

Re: POA authentication attempts

Hi Massimo,

It's not GWIA/pop nor GWIA/imap we have those on internally for some third party mail access and those are logged as either:
C/S Login GWIA/Pop ::GW Id=xxxxxxxx:: xxx.xxx.xxx.xxx [::ffff:10.0.0.206]
or
C/S Login GWIA/Imap ::GW Id=xxxxxxxx:: xxx.xxx.xxx.xxx [::ffff:10.0.0.206]

In both cased the hidden addresses are the address of the other box making the request.

I'm wondering if this might be GWAVA? Doing some kind of user validation? It sits on the same box as well.

Mark.
0 Likes
MarkDissington Outstanding Contributor.
Outstanding Contributor.

Re: POA authentication attempts

Hmm, think this is somebody trying to do either authenticated smtp to the server, or as in the previous thread it's how gwava/gwia checks for valid users. I've just increased my log level on the POA and someone has tried to "auth" as a distribution list:

13:46:16 4D88 *** NEW APP CONNECTION, Tbl Entry=29, Check ID=1515101258
13:46:16 4D88 C/S Login Linux ::GW Id=sales :: 10.0.0.206 [::ffff:10.0.0.206]
13:46:16 4D88 Error: Groups cannot be used here [D11C] User:sales (sales)
13:46:16 4D88 *** APP DISCONNECTED, Tbl Entry=29, Check ID=1515101258

and that matches up with the gwia log showing this:

13:46:16 01E3 GroupWise login failed: D11C
13:46:16 01E3 DMN: MSG 4609341 SMTP session ended: [37.49.225.223] ()

Thoughts?

Mark.
0 Likes
MarkDissington Outstanding Contributor.
Outstanding Contributor.

Re: POA authentication attempts

Ok, so it looks like someone is trying to do brute force esmtp authentication against our GWIA (with Gwava). I found this thread:

https://forums.novell.com/showthread.php/480019-GW2014-ESMTP-Login-Attempts

I'd even replied to it back in the day! I guess we'll just have to suck it up and live with it, no impact as yet (fingers crossed).

Mark.
0 Likes
Knowledge Partner
Knowledge Partner

Re: POA authentication attempts

On 06.12.2018 14:54, MarkDissington wrote:
>
> Hi Massimo,
>
> It's not GWIA/pop nor GWIA/imap


I was thinking SMTP.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Knowledge Partner
Knowledge Partner

Re: POA authentication attempts

On 06.12.2018 16:14, MarkDissington wrote:
>
> Ok, so it looks like someone is trying to do brute force esmtp
> authentication against our GWIA (with Gwava). I found this thread:
>
> https://forums.novell.com/showthread.php/480019-GW2014-ESMTP-Login-Attempts
>
> I'd even replied to it back in the day! I guess we'll just have to suck
> it up and live with it, no impact as yet (fingers crossed).


It's a real serious problem these days, that you can't (for some reason
nobody understands) disable SMTP authentification in GWIA. The only
advise I can give you at this point is to not expose GWIA to the
internet. They *will* get in, sooner or later. Believe me.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
MarkDissington Outstanding Contributor.
Outstanding Contributor.

Re: POA authentication attempts

Time for an entry on the ideas portal I think (found your idea - https://ideas.microfocus.com/MFI/mf-gw/Idea/Detail/1126 and voted for it). Can't be that much of an ask to add an option to turn of smtp auth on the GWIA?

Mark.
0 Likes
Knowledge Partner
Knowledge Partner

Re: POA authentication attempts

On 07.12.2018 14:24, MarkDissington wrote:
>
> Time for an entry on the ideas portal I think.


https://ideas.microfocus.com/MFI/mf-gw/Idea/Detail/1126

> Can't be that much of an
> ask to add an option to turn of smtp auth on the GWIA?


One would think...

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.