Need to expose IP address of hacker
Posted: Sun Nov 11, 2018 1:20 am
Good evening everyone,
I am in dire need of the collective brain power of these forums. I have someone attempting to log in to my account via the Zimbra web interface. They are making multiple attempts which is causing my account to become disabled, and it's very frustrating. I attempted to see who it was by viewing the /opt/zimbra/log/audit.log file but what is logged there is the IP address of the Zimbra server itself (domain name, user name, and server IP changed to provide an example below )...
2018-11-10 17:03:48,966 WARN [qtp335471116-59207:https:https://webmail.example.com:7073/service/admin/soap/] [name=admin@example.com;ip=1.2.3.4;port=36300;soapId=7de4b14;] security - cmd=Auth; account=admin@example.com; protocol=soap; error=authentication failed for [admin@example.com], invalid password;
The IP address 1.2.3.4 shown in the log entry is the IP address of the VPS where I have Zimbra Collaboration running. It never shows me their public IP address. However, if there is a successful log in, THEN the log file shows the users IP address. Is there a setting that I can change to show this? I've heard of people using fail2ban for these things, but if the log file is showing the IP address of the server, wouldn't that just block the server from itself?
I'm in need of some education here, and would most sincerely appreciate any suggestions or feedback that you are willing to provide.
Respectfully,
Martin
I am in dire need of the collective brain power of these forums. I have someone attempting to log in to my account via the Zimbra web interface. They are making multiple attempts which is causing my account to become disabled, and it's very frustrating. I attempted to see who it was by viewing the /opt/zimbra/log/audit.log file but what is logged there is the IP address of the Zimbra server itself (domain name, user name, and server IP changed to provide an example below )...
2018-11-10 17:03:48,966 WARN [qtp335471116-59207:https:https://webmail.example.com:7073/service/admin/soap/] [name=admin@example.com;ip=1.2.3.4;port=36300;soapId=7de4b14;] security - cmd=Auth; account=admin@example.com; protocol=soap; error=authentication failed for [admin@example.com], invalid password;
The IP address 1.2.3.4 shown in the log entry is the IP address of the VPS where I have Zimbra Collaboration running. It never shows me their public IP address. However, if there is a successful log in, THEN the log file shows the users IP address. Is there a setting that I can change to show this? I've heard of people using fail2ban for these things, but if the log file is showing the IP address of the server, wouldn't that just block the server from itself?
I'm in need of some education here, and would most sincerely appreciate any suggestions or feedback that you are willing to provide.
Respectfully,
Martin
happy it worked and happy about your feedback!