Where is the log showing IPs of access attempts?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
kcurtis
Posts: 6
Joined: Sat Sep 13, 2014 3:37 am

Where is the log showing IPs of access attempts?

Postby kcurtis » Mon Jul 28, 2014 9:15 am

I have one account that is under attack from someone trying to log in to it.

They system is working great and setting the account to 'locked out' but I need to find out where the attacker is so I can firewall them.
I looked in the /var/log/auth.log file and I see the attempts but it does not show the persons IP address.

What log shows the IP used to try to log in to an account?


chauvetp
Outstanding Member
Outstanding Member
Posts: 350
Joined: Fri Sep 12, 2014 11:28 pm

Where is the log showing IPs of access attempts?

Postby chauvetp » Mon Jul 28, 2014 11:29 am

Check /opt/zimbra/log/audit.log. If you're using Zimbra's proxy servers in a multi-server environment, you'll have to check /opt/zimbra/log/nginx.log
If its an SMTP transaction, you'll have to check /var/log/maillog on one of your MTAs.
If you have the proxy/SMTP servers behind a load balancer - then you may have issues tracking the IP down...
kcurtis
Posts: 6
Joined: Sat Sep 13, 2014 3:37 am

Where is the log showing IPs of access attempts?

Postby kcurtis » Mon Jul 28, 2014 12:54 pm

Thanks, I know it is a Monday now.

I was looking in /var/log not /opt/zimbra/log/
kcurtis
Posts: 6
Joined: Sat Sep 13, 2014 3:37 am

Where is the log showing IPs of access attempts?

Postby kcurtis » Tue Jul 29, 2014 12:09 pm

Ok one more question.

I am now able to watch everyone as they log in with their clients, how ever if they log on the web portal to get their mail it is only showing the IP if the Zimbra server. I do not see any logs for Apache. Is there a different file I can look in to to see what IP they are using to try to log in on the web site?
chauvetp
Outstanding Member
Outstanding Member
Posts: 350
Joined: Fri Sep 12, 2014 11:28 pm

Where is the log showing IPs of access attempts?

Postby chauvetp » Tue Jul 29, 2014 12:18 pm

As mentioned in my last post:
If you're using Zimbra's proxy servers in a multi-server environment, you'll have to check /opt/zimbra/log/nginx.log
Even if you're not in a multi-server environment, if you installed the Zimbra proxy, then it will pass through there first.

Return to “Administrators”

Who is online

Users browsing this forum: MSN [Bot] and 5 guests