一、為了避免有心人士嘗試暴力破解密碼,因此管理者介面提供設定:


針對smtp/pop3/imap4/web提供帳號鎖定機制(DDOS),針對特定IP登入某一服務密碼驗證失敗,採取該IP & 帳號 鎖定:


帳號鎖定時間說明:


這邊的鎖定僅鎖定 " 該IP & 驗證該帳號 ",

該IP仍可繼續驗證其他帳號,若換成其他IP,仍可繼續驗證該帳號密碼,

此舉為避免造成正常使用者困擾:


鎖定條件:該 IP + 該帳號



二、各項服務鎖定範例:


1.POP3:


驗證被鎖定之後:

telnet 0 110
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
+OK MPOP3D V7.0 at ha.openfind.com.tw starting.
user derek2
+OK Password required for user "derek2@openfind.com.tw".
pass password
-ERR Invalid username or password.   <-----  回應失敗,帳號已經被鎖定
^]
telnet> q
Connection closed.


/webmail/tools/dump_login_log -u derek2 -t pop3 -r all

2017/11/22 21:37:04 Failed POP3 Login   127.0.0.1
2017/11/22 21:37:13 Failed POP3 Login   127.0.0.1
2017/11/22 21:37:20 Failed POP3 Login   127.0.0.1
2017/11/22 21:37:28 Failed POP3 Login   127.0.0.1
2017/11/22 21:42:18 Failed POP3 Login   127.0.0.1



tail -f /webmail/log/login_user.log

[2017/11/22 21:37:20] [INF][ 5437][pop3d:userlog]# derek2@openfind.com.tw       66      127.0.0.1
[2017/11/22 21:37:28] [INF][ 5458][pop3d:userlog]# derek2@openfind.com.tw       66      127.0.0.1
[2017/11/22 21:42:18] [INF][ 6491][pop3d:userlog]# derek2@openfind.com.tw       66      127.0.0.1



tail /webmail/pop3/pop3d.log

[2017/11/22 21:42:10] [127.0.0.1:6491] Connection initialized.
[2017/11/22 21:42:15] [127.0.0.1:6491] user derek2
[2017/11/22 21:42:18] [127.0.0.1:6491] pass *****
[2017/11/22 21:42:18] [127.0.0.1:6491] User derek2@openfind.com.tw login failed.



使用者web 面板可查到 127.0.0.1 被鎖定,駭客若持續登入,不管驗證成功或失敗,顯示登入失敗,

而原本使用者 IP:172.16.25.11 則仍可正常登入:


2.WEB:


若是web登入,超過錯誤次數會提示鎖定多久時間,不管之後密碼是否輸入正確:


/webmail/log/login.log

[2017/11/22 21:33:26] [INF][ 4598][login:MSLOG_UserLogin]# [PASSERR] derek2@openfind.com.tw 172.16.25.11
[2017/11/22 21:33:30] [INF][ 4610][login:MSLOG_UserLogin]# [PASSERR] derek2@openfind.com.tw 172.16.25.11
[2017/11/22 21:33:34] [INF][ 4621][login:MSLOG_UserLogin]# [LOCKED] derek2@openfind.com.tw 172.16.25.11
[2017/11/22 21:34:53] [INF][ 4923][login:MSLOG_UserLogin]# [LOCKED] derek2@openfind.com.tw 172.16.25.11


/webmail/tools/dump_login_log -u derek2 -t web -r all

2017/11/22 21:33:26 Failed Web Login    172.16.25.11
2017/11/22 21:33:30 Failed Web Login    172.16.25.11
<LOCKED 之後不會再有紀錄 fail log>



面板資訊:


3.IMAP4:


驗證被鎖定之後:

[webmail@ha1 derek2]$ telnet 0 143
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
* OK [CAPABILITY IMAP4 IMAP4rev1 AUTH=LOGIN LITERAL+ STARTTLS ID]
* login derek2 fadfasdf
* NO LOGIN failure: mismatched password
^]
telnet> q
Connection closed.


/webmail/log/login_user.log

[2017/11/22 21:55:32] [INF][ 9178][imap4d:userlog]# derek2@openfind.com.tw      67      127.0.0.1
[2017/11/22 21:55:47] [INF][ 9222][imap4d:userlog]# derek2@openfind.com.tw      67      127.0.0.1


/webmail/imap4d/imap4d.log

[2017/11/22 21:55:41] [127.0.0.1:9222] Connection initialized.
[2017/11/22 21:55:47] [127.0.0.1:9222] * LOGIN derek2 ***
[2017/11/22 21:55:47] [127.0.0.1:9222] Incorrect password (derek2@openfind.com.tw)
[2017/11/22 21:55:53] [127.0.0.1:9222] Auto logout: close connection
[2017/11/22 21:55:53] [127.0.0.1:9222] Auto logout: close connection(nocmd)
[2017/11/22 21:55:53] [127.0.0.1:9222] Connection closed.(11.50s)


[webmail@ha1 log]$ /webmail/tools/dump_login_log -u derek2 -t imap4 -r all

2017/11/22 21:55:32 Failed IMAP4 Login  127.0.0.1
2017/11/22 21:55:47 Failed IMAP4 Login  127.0.0.1



面板資訊:



4.SMTP:


驗證被鎖定之後:

[webmail@ha1 derek2]$ telnet 0 25
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
220 ha1.openfind.com.tw ESMTP Service(Mail2000 ESMTP Server V7.00) ready Wed, 22 Nov 2017 22:05:02 +0800 (CST)
helo aa
250 ha1.openfind.com.tw
auth login
334 VXNlcm5hbWU6
ZGVyZWsy
334 UGFzc3dvcmQ6
b3BlbmZpbmQ=
504 Authentication failed.
Connection closed by foreign host.


/webmail/mqueue/log/smtpd.log

[2017/11/22 22:05:02] [127.0.0.1:28351-0] Connection initialized.
[2017/11/22 22:05:04] [127.0.0.1:28351-0] helo aa
[2017/11/22 22:05:06] [127.0.0.1:28351-0] auth login
[2017/11/22 22:05:15] [127.0.0.1:28351-0] User derek2@openfind.com.tw AUTH fails.
[2017/11/22 22:05:15] [127.0.0.1:28351-0] Negative reply <504 Authentication failed.>
[2017/11/22 22:05:15] [127.0.0.1:28351-0] Connection closed.(13s.163657u)


/webmail/log/login_user.log

[2017/11/22 22:04:28] [INF][28351][smtpd:userlog]# derek2@openfind.com.tw       65      127.0.0.1
[2017/11/22 22:05:15] [INF][28351][smtpd:userlog]# derek2@openfind.com.tw       65      127.0.0.1


/webmail/tools/dump_login_log -u derek2 -t smtp -r all

2017/11/22 22:03:16 Successful SMTP Login127.0.0.1
2017/11/22 22:03:55 Failed SMTP Login   127.0.0.1
2017/11/22 22:04:28 Failed SMTP Login   127.0.0.1
2017/11/22 22:05:15 Failed SMTP Login   127.0.0.1



面板資訊:



另外:


管理者介面上解除帳號:


/webmail/log/login_user.log

[2017/11/22 21:49:29] [INF][ 7924][m2kadm:userlog]# derek2@openfind.com.tw      4       172.16.25.11


5. log 格式

[時間戳記]    [資訊]     [Pid]    [登入方式]# 帳號     驗證結果     登入來源

[2020/04/07 13:40:04] [INF][27254][imap4d:userlog]# a1@ken.lab  5       172.16.25.1
[2020/04/07 13:40:05] [INF][ 1142][smtpd:userlog]# a1@ken.lab   2       172.16.25.1
[2020/04/07 14:12:13] [INF][33959][pop3d:userlog]# adm@ken.lab  3       172.16.25.1
[2020/04/07 14:15:07] [INF][34573][login:userlog]# adm@ken.lab  1       172.16.25.1


6. 驗證結果

代碼 4 : 帳號解鎖
  websmtp
pop3imap4d
 驗證成功 1 2
 3 5
 驗證失敗 64 65 66 67