detect suspicious logins

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

detect suspicious logins

chongma
does anyone know of a linux module (maybe similar to fail2ban) that
could be installed which would monitor email logs (sign ins) and alert
the user to any suspicious activity on their account?  i suspect it
would need to log geo location, device type and ip address to a
database.  it seems like a module like this would be very useful and
should exist already?  thanks in advance
Reply | Threaded
Open this post in threaded view
|

Re: detect suspicious logins

@lbutlr


> On 19 Dec 2017, at 10:13, Matthew Broadhead <[hidden email]> wrote:
>
> does anyone know of a linux module (maybe similar to fail2ban) that could be installed which would monitor email logs (sign ins) and alert the user to any suspicious activity on their account?

Fail2ban can protect email logins. Alerting a user because random IP in Korean Middle School tried to login seems no helpful.

> i suspect it would need to log geo location, device type and ip address to a database.  it seems like a module like this would be very useful

How?

Blacklist failed logins. That protects everyone and doesn't induce panic.

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Reply | Threaded
Open this post in threaded view
|

Re: detect suspicious logins

Marcus Rueckert-3
In reply to this post by chongma
On Tue, 19 Dec 2017 17:13:10 +0000
Matthew Broadhead <[hidden email]> wrote:

> does anyone know of a linux module (maybe similar to fail2ban) that
> could be installed which would monitor email logs (sign ins) and
> alert the user to any suspicious activity on their account?  i
> suspect it would need to log geo location, device type and ip address
> to a database.  it seems like a module like this would be very useful
> and should exist already?  thanks in advance

https://github.com/PowerDNS/weakforced

--
          openSUSE - SUSE Linux is my linux
              openSUSE is good for you
                  www.opensuse.org
Reply | Threaded
Open this post in threaded view
|

Re: detect suspicious logins

Joseph Tam-2
In reply to this post by chongma
Matthew Broadhead <[hidden email]> wrote:

>> does anyone know of a linux module (maybe similar to fail2ban) that
>> could be installed which would monitor email logs (sign ins) and alert
>> the user to any suspicious activity on their account?

I just monitor straight from the logs using homebrew utilties.

@lbutlr" <[hidden email]>

> Fail2ban can protect email logins.  Alerting a user because random IP
> in Korean Middle School tried to login seems no helpful.
>
>> i suspect it would need to log geo location, device type and ip
>> address to a database.  it seems like a module like this would be very
>> useful
>
> How?
>
> Blacklist failed logins. That protects everyone and doesn't induce panic.

I just went through a long thread elsewhere on this topic.

Fail2ban is mainly a counter brute force measure.  If you have a strong
password policy, the net result of using it is that it makes your logs
smaller, and maybe saves some CPU cycles or from DoS for really intense
bouts, but otherwise, does not add to security as good passwords makes
BFD infeasible.

*However*, if the attacker knows the approximate password (e.g.
shoulder surfing), this may help, but eventually, the password will
succumb to a patient diligent attack.

What the OP is considering is if the password is divulged e.g.  phishing
attack or snarfed from another source.  In this case, an intruder's
authentication will succeed immediately.  If a monitor spots someone
authenticating from another continent than where the owner is supposed
to be, or from 2 locations thousands of miles apart, or from 5 different
location simultaneously, or tried to send a huge number of messages with
many bounces, or was using a different mail clients that one historically
used), it can signal the admin/user for further investigation.

For users, I think reporting a login origin audit will be helpful,
regardless of circumstances.  However, it should be done out of band,
if the assumption is someone else has control of the account.

Joseph Tam <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: detect suspicious logins

Aki Tuomi-2
In reply to this post by Marcus Rueckert-3

> On December 20, 2017 at 12:29 PM Marcus Rueckert <[hidden email]> wrote:
>
>
> On Tue, 19 Dec 2017 17:13:10 +0000
> Matthew Broadhead <[hidden email]> wrote:
>
> > does anyone know of a linux module (maybe similar to fail2ban) that
> > could be installed which would monitor email logs (sign ins) and
> > alert the user to any suspicious activity on their account?  i
> > suspect it would need to log geo location, device type and ip address
> > to a database.  it seems like a module like this would be very useful
> > and should exist already?  thanks in advance
>
> https://github.com/PowerDNS/weakforced
>
> --
>           openSUSE - SUSE Linux is my linux
>               openSUSE is good for you
>                   www.opensuse.org

You could use weakforced with dovecot's auth policy

https://wiki2.dovecot.org/Authentication/Policy

Aki