Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

IPBAN 1.8.0 not detecting password spray attack on Exchange log files.

See original GitHub issue

I noticed today that my server has come under attack on a few accounts but IPBAN was not detecting the attacks.

When I ran a sample of the detection regex, the regex passed and says it should be detecting, but it isn’t. I’m use the default configuration for exchange detection in the ipban.config file:

` <LogFile>

      C:/Program Files/Microsoft/Exchange Server/*/TransportRoles/Logs/FrontEnd/ProtocolLog/**.log
    Example line:
    2018-10-08T15:09:27.508Z,00000000002A64E8,2,,,,23,31,30,authenticate,plain,"R=""2 NO AUTHENTICATE failed."";Msg=""AuthFailed:LogonDenied,User:"";ErrMsg=AuthFailed:LogonDenied"
    Example lines (username on seperate line):
    2020-04-01T13:13:03.129Z,SRV-XCH03\External Authenticated Relay,08D7D4D2EFBC3E30,10,,,*,,Inbound AUTH LOGIN failed because of LogonDenied
    2020-04-01T13:13:03.129Z,SRV-XCH03\External Authenticated Relay,08D7D4D2EFBC3E30,11,,,*,,User Name:        
    2021-04-03T03:59:48.135Z,SRV-XCH03\External Authenticated Relay,08D7D4D2EFBC3E30,11,,,>,504 5.7.4 Unrecognized authentication type,


Sample log file entry:

2023-03-11T01:00:46.539Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,0,,,+,, 2023-03-11T01:00:46.541Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,1,,,>,"220 Microsoft ESMTP MAIL Service ready at Fri, 10 Mar 2023 20:00:45 -0500", 2023-03-11T01:00:46.623Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,2,,,<,EHLO K8I9jJD, 2023-03-11T01:00:46.623Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,3,,,>,250 Hello [] SIZE 26214400 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS 8BITMIME BINARYMIME CHUNKING SMTPUTF8, 2023-03-11T01:00:46.681Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,4,,,<,STARTTLS, 2023-03-11T01:00:46.681Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,5,,,>,220 2.0.0 SMTP server ready, 2023-03-11T01:00:46.682Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,6,,,*," CN=R3, O=Let's Encrypt, C=US 04D83B472290B4C411E4F5F800A30275A128 995CA3FCB1AF4B4CFAA7A49EB6085EA1EA9E8E1B 2023-02-27T11:44:08.000Z 2023-05-28T12:44:07.000Z;;;;;",Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names 2023-03-11T01:00:46.818Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,7,,,*,,"TLS protocol SP_PROT_TLS1_2_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 0 bits and key exchange algorithm CALG_ECDH_EPHEM with strength 384 bits" 2023-03-11T01:00:46.860Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,8,,,<,EHLO K8I9jJD, 2023-03-11T01:00:46.860Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,9,,,*,,Client certificate chain validation status: 'EmptyCertificate' 2023-03-11T01:00:46.860Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,10,,,*,,TlsDomainCapabilities='None'; Status='NoRemoteCertificate' 2023-03-11T01:00:46.860Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,11,,,>,250 Hello [] SIZE 26214400 PIPELINING DSN ENHANCEDSTATUSCODES AUTH LOGIN 8BITMIME BINARYMIME CHUNKING SMTPUTF8, 2023-03-11T01:00:46.914Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,12,,,<,AUTH LOGIN, 2023-03-11T01:00:46.914Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,13,,,>,334 <authentication response>, 2023-03-11T01:00:46.972Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,14,,,>,334 <authentication response>, 2023-03-11T01:00:47.030Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,15,,,*,,Inbound AUTH LOGIN failed because of LogonDenied 2023-03-11T01:00:47.030Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,16,,,*,,User Name: 2023-03-11T01:00:47.030Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,17,,,*,Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful', 2023-03-11T01:00:52.032Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,18,,,>,535 5.7.3 Authentication unsuccessful, 2023-03-11T01:00:52.096Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,19,,,-,,Local

According to regex101. the regex should have matched this… but it appears it is matching the local IP address rather than the external IP and since the local IP is whitelists IPBAN is ignoring it.

LogonDenied 2023-03-11T01:00:47.030Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB802036FF,16,,,*,User Name:

Match 1 2856-3167 2023-03-11T01:02:26.486Z,EXCHSERVER\Default Frontend EXCHSERVER,08DB18EB80203705,15,,74.201…
Group timestamp 2856-2880 2023-03-11T01:02:26.486Z
Group ipaddress 2932-2949
Group username 3146-3167

Note: email, servername and domain name has been changed in the sample file.

Issue Analytics

  • State:closed
  • Created 6 months ago
  • Comments:5

github_iconTop GitHub Comments

jjxtracommented, Mar 14, 2023

You need to turn on ProcessInternalIPAddresses

jjxtracommented, Jul 26, 2023

Whitelisting your mail server ip, both internal and public should fix this.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Alert classification for suspicious IP addresses related to ...
This playbook helps you investigate instances where IP addresses have been labeled risky or associated with a password spray attack, or ...
Read more >
Ban IP address based on X number of unsuccessful login ...
Is it possible to ban an IP address after X number of unsuccessful login attempts to a Windows Server? Not to a particular...
Read more >
gli2 - FeedBlitz - WFAA
Table of la liga now, Margate school of beauty new location, ... Ppjt try not to laugh? ... Gas log fireplace doors, Moffat...
Read more >
Plastic trombone china, Esselunga limito di pioltello email, Exchange test-owaconnectivity? Treatment for bruised ribs mayo clinic, Coracora arpa y violin, ...
Read more >
Dekhne walon ne kya kya lyrics, How to pick up jewish chicks, Sheboygan lutheran high school, Samsung keyboard not showing up, Cancer horoscope...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found