Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
IPBAN 1.8.0 not detecting password spray attack on Exchange log files.
See original GitHub issueI noticed today that my server has come under attack on a few accounts but IPBAN was not detecting the attacks.
When I ran a sample of the detection regex, the regex passed and says it should be detecting, but it isn’t. I’m use the default configuration for exchange detection in the ipban.config file:
` <LogFile>
<Source>MSExchange</Source>
<PathAndMask>
C:/Program Files/Microsoft/Exchange Server/*/TransportRoles/Logs/FrontEnd/ProtocolLog/**.log
</PathAndMask>
<!--
Example line:
2018-10-08T15:09:27.508Z,00000000002A64E8,2,5.5.5.5:993,109.75.46.81:40016,user.name@domain.com,23,31,30,authenticate,plain,"R=""2 NO AUTHENTICATE failed."";Msg=""AuthFailed:LogonDenied,User: user.name@domain.com"";ErrMsg=AuthFailed:LogonDenied"
Example lines (username on seperate line):
2020-04-01T13:13:03.129Z,SRV-XCH03\External Authenticated Relay,08D7D4D2EFBC3E30,10,192.168.2.101:10587,92.118.38.34:46676,*,,Inbound AUTH LOGIN failed because of LogonDenied
2020-04-01T13:13:03.129Z,SRV-XCH03\External Authenticated Relay,08D7D4D2EFBC3E30,11,192.168.2.101:10587,92.118.38.34:46676,*,,User Name: shaun@example.com
2021-04-03T03:59:48.135Z,SRV-XCH03\External Authenticated Relay,08D7D4D2EFBC3E30,11,192.168.2.101:10587,27.255.75.110:62262,>,504 5.7.4 Unrecognized authentication type,
-->
<FailedLoginRegex>
<![CDATA[
^(?<timestamp>[0-9TZ\-:\.]+),(?:.*?\\(?:External\sAuthenticated\sRelay|Internet\sRecive\sFrontend),)?(?:[^,\n]*,){3}(?<ipaddress>[^,\n]+).*?(?:(?:504\s5\.7\.4\sUnrecognized\sauthentication\stype)|(?:LogonDenied\n?.*?(?:User\:|User\sName\:)\s(?<username>[^\n,"]+)))
]]>
</FailedLoginRegex>
<SuccessfulLoginRegex>
<![CDATA[
^(?<timestamp>[0-9TZ\-:\.]+)?,(?:[^,\n]*,){4}(?<ipaddress>[^,\n]+),(?:[^,\n]*),(?<username>[^,\n]*),authenticated
]]>
</SuccessfulLoginRegex>
<PlatformRegex>Windows</PlatformRegex>
<PingInterval>10000</PingInterval>
<MaxFileSize>16777216</MaxFileSize>
<FailedLoginThreshold>0</FailedLoginThreshold>
</LogFile>`
Sample log file entry:
2023-03-11T01:00:46.539Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,0,192.168.101.13:25,74.201.31.3:64503,+,, 2023-03-11T01:00:46.541Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,1,192.168.101.13:25,74.201.31.3:64503,>,"220 webmail.obscuredomain.com Microsoft ESMTP MAIL Service ready at Fri, 10 Mar 2023 20:00:45 -0500", 2023-03-11T01:00:46.623Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,2,192.168.101.13:25,74.201.31.3:64503,<,EHLO K8I9jJD, 2023-03-11T01:00:46.623Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,3,192.168.101.13:25,74.201.31.3:64503,>,250 webmail.obscuredomain.com Hello [74.201.31.3] SIZE 26214400 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS 8BITMIME BINARYMIME CHUNKING SMTPUTF8, 2023-03-11T01:00:46.681Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,4,192.168.101.13:25,74.201.31.3:64503,<,STARTTLS, 2023-03-11T01:00:46.681Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,5,192.168.101.13:25,74.201.31.3:64503,>,220 2.0.0 SMTP server ready, 2023-03-11T01:00:46.682Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,6,192.168.101.13:25,74.201.31.3:64503,*," CN=webmail.obscuredomain.com CN=R3, O=Let's Encrypt, C=US 04D83B472290B4C411E4F5F800A30275A128 995CA3FCB1AF4B4CFAA7A49EB6085EA1EA9E8E1B 2023-02-27T11:44:08.000Z 2023-05-28T12:44:07.000Z webmail.obscuredomain.com;autodiscover.obscuredomain.com;mail.obscuredomain.com;smtp.obscuredomain.com;EXCHSERVER.obscuredomain.com;EXCHSERVER1.obscuredomain.com",Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names 2023-03-11T01:00:46.818Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,7,192.168.101.13:25,74.201.31.3:64503,*,,"TLS protocol SP_PROT_TLS1_2_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 0 bits and key exchange algorithm CALG_ECDH_EPHEM with strength 384 bits" 2023-03-11T01:00:46.860Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,8,192.168.101.13:25,74.201.31.3:64503,<,EHLO K8I9jJD, 2023-03-11T01:00:46.860Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,9,192.168.101.13:25,74.201.31.3:64503,*,,Client certificate chain validation status: 'EmptyCertificate' 2023-03-11T01:00:46.860Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,10,192.168.101.13:25,74.201.31.3:64503,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate' 2023-03-11T01:00:46.860Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,11,192.168.101.13:25,74.201.31.3:64503,>,250 webmail.obscuredomain.com Hello [74.201.31.3] SIZE 26214400 PIPELINING DSN ENHANCEDSTATUSCODES AUTH LOGIN 8BITMIME BINARYMIME CHUNKING SMTPUTF8, 2023-03-11T01:00:46.914Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,12,192.168.101.13:25,74.201.31.3:64503,<,AUTH LOGIN, 2023-03-11T01:00:46.914Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,13,192.168.101.13:25,74.201.31.3:64503,>,334 <authentication response>, 2023-03-11T01:00:46.972Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,14,192.168.101.13:25,74.201.31.3:64503,>,334 <authentication response>, 2023-03-11T01:00:47.030Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,15,192.168.101.13:25,74.201.31.3:64503,*,,Inbound AUTH LOGIN failed because of LogonDenied 2023-03-11T01:00:47.030Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,16,192.168.101.13:25,74.201.31.3:64503,*,,User Name: emailuser@obscuredomain.com 2023-03-11T01:00:47.030Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,17,192.168.101.13:25,74.201.31.3:64503,*,Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful', 2023-03-11T01:00:52.032Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,18,192.168.101.13:25,74.201.31.3:64503,>,535 5.7.3 Authentication unsuccessful, 2023-03-11T01:00:52.096Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,19,192.168.101.13:25,74.201.31.3:64503,-,,Local
According to regex101. the regex should have matched this… but it appears it is matching the local IP address rather than the external IP and since the local IP is whitelists IPBAN is ignoring it.
LogonDenied 2023-03-11T01:00:47.030Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,16,192.168.101.13:25,74.201.31.3:64503,*,User Name: emailuser@obscuredomain.com
| Match 1 | 2856-3167 | 2023-03-11T01:02:26.486Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB80203705,15,192.168.101.13:25,74.201… |
|---|---|---|
| Group timestamp | 2856-2880 | 2023-03-11T01:02:26.486Z |
| Group ipaddress | 2932-2949 | 192.168.101.13:25 |
| Group username | 3146-3167 | emailuser@obscuredomain.com |
Note: email, servername and domain name has been changed in the sample file.
Issue Analytics
- State:
- Created 6 months ago
- Comments:5
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
You need to turn on
ProcessInternalIPAddressesWhitelisting your mail server ip, both internal and public should fix this.