Where is the log showing IPs of access attempts?

kcurtis · Post by **kcurtis** » Mon Jul 28, 2014 9:15 am

I have one account that is under attack from someone trying to log in to it.

They system is working great and setting the account to 'locked out' but I need to find out where the attacker is so I can firewall them.
I looked in the /var/log/auth.log file and I see the attempts but it does not show the persons IP address.

What log shows the IP used to try to log in to an account?

chauvetp · Post by **chauvetp** » Mon Jul 28, 2014 11:29 am

Check /opt/zimbra/log/audit.log. If you're using Zimbra's proxy servers in a multi-server environment, you'll have to check /opt/zimbra/log/nginx.log
If its an SMTP transaction, you'll have to check /var/log/maillog on one of your MTAs.
If you have the proxy/SMTP servers behind a load balancer - then you may have issues tracking the IP down...

kcurtis · Post by **kcurtis** » Mon Jul 28, 2014 12:54 pm

Thanks, I know it is a Monday now.

I was looking in /var/log not /opt/zimbra/log/

kcurtis · Post by **kcurtis** » Tue Jul 29, 2014 12:09 pm

Ok one more question.

I am now able to watch everyone as they log in with their clients, how ever if they log on the web portal to get their mail it is only showing the IP if the Zimbra server. I do not see any logs for Apache. Is there a different file I can look in to to see what IP they are using to try to log in on the web site?

chauvetp · Post by **chauvetp** » Tue Jul 29, 2014 12:18 pm

As mentioned in my last post:
If you're using Zimbra's proxy servers in a multi-server environment, you'll have to check /opt/zimbra/log/nginx.log
Even if you're not in a multi-server environment, if you installed the Zimbra proxy, then it will pass through there first.