Paul M. Beck wrote:
> Once again someone's trying to crack passwords on our server.
> Not a problem because surgemail has caught it.
> However searching 10000 records still doesn't give the offending IP
> address.
> Does anyone know how can I find this out all I have are records like
> these...
> Are there some tellmail commands to list locked out IP addresses?
>
> 2010-10-31 20:30:44.00:-230068224: -ERR Login incorrect oracle - too
> many attempts try later (g_bad_login_allow or g_bad_login_ip_ignore)
> 2010-10-31 20:30:44.00:-244846592: -ERR Login incorrect backup - too
> many attempts try later (g_bad_login_allow or g_bad_login_ip_ignore)
> 2010-10-31 20:30:44.00:-229683200: -ERR Login incorrect backup - too
> many attempts try later (g_bad_login_allow or g_bad_login_ip_ignore)
> 2010-10-31 20:30:44.00:-231608320: -ERR Login incorrect sybase - too
> many attempts try later (g_bad_login_allow or g_bad_login_ip_ignore)
>
> Paul
>
Look for this:

Login failures for 2010-11-01
2010-11-01 00:08:43.00:303794512: pop: User: xxxxxx Domain: xxxxxx.com, IP: ::ffff:98.253.35.189, -ERRHIDDEN@xxx.com password wrong or not a valid user
2010-11-01 00:18:25.00:314349904: pop: User: xxxxxx Domain: xxxxxx.com, IP: ::ffff:98.253.35.189, -ERRHIDDEN@xxx.com password wrong or not a valid user

2010-11-01 01:43:49.00:314349904: -ERR User: xxxxxx Domain: chemcomfg.com, Too many login attempts, try again later. Setting g_bad_login ip=::ffff:98.253.35.189


I don't think there is a file that holds those. But I could be wrong on
that. I would search for the password failures instead. Don't know what
platform you are on, but in *nix, learning how to use grep from a
command line is a very useful tool.

Lyle Giese
LCR Computer Services, Inc.