Re: detect suspicious logins

2017-12-21 Thread Aki Tuomi

> On December 20, 2017 at 12:29 PM Marcus Rueckert  wrote:
> 
> 
> On Tue, 19 Dec 2017 17:13:10 +
> Matthew Broadhead  wrote:
> 
> > does anyone know of a linux module (maybe similar to fail2ban) that 
> > could be installed which would monitor email logs (sign ins) and
> > alert the user to any suspicious activity on their account?  i
> > suspect it would need to log geo location, device type and ip address
> > to a database.  it seems like a module like this would be very useful
> > and should exist already?  thanks in advance
> 
> https://github.com/PowerDNS/weakforced
> 
> -- 
>   openSUSE - SUSE Linux is my linux
>   openSUSE is good for you
>   www.opensuse.org

You could use weakforced with dovecot's auth policy

https://wiki2.dovecot.org/Authentication/Policy

Aki


Re: detect suspicious logins

2017-12-20 Thread Joseph Tam

Matthew Broadhead  wrote:


does anyone know of a linux module (maybe similar to fail2ban) that
could be installed which would monitor email logs (sign ins) and alert
the user to any suspicious activity on their account?


I just monitor straight from the logs using homebrew utilties.

@lbutlr" 


Fail2ban can protect email logins.  Alerting a user because random IP
in Korean Middle School tried to login seems no helpful.


i suspect it would need to log geo location, device type and ip
address to a database.  it seems like a module like this would be very
useful


How?

Blacklist failed logins. That protects everyone and doesn't induce panic.


I just went through a long thread elsewhere on this topic.

Fail2ban is mainly a counter brute force measure.  If you have a strong
password policy, the net result of using it is that it makes your logs
smaller, and maybe saves some CPU cycles or from DoS for really intense
bouts, but otherwise, does not add to security as good passwords makes
BFD infeasible.

*However*, if the attacker knows the approximate password (e.g.
shoulder surfing), this may help, but eventually, the password will
succumb to a patient diligent attack.

What the OP is considering is if the password is divulged e.g.  phishing
attack or snarfed from another source.  In this case, an intruder's
authentication will succeed immediately.  If a monitor spots someone
authenticating from another continent than where the owner is supposed
to be, or from 2 locations thousands of miles apart, or from 5 different
location simultaneously, or tried to send a huge number of messages with
many bounces, or was using a different mail clients that one historically
used), it can signal the admin/user for further investigation.

For users, I think reporting a login origin audit will be helpful,
regardless of circumstances.  However, it should be done out of band,
if the assumption is someone else has control of the account.

Joseph Tam 


Re: detect suspicious logins

2017-12-20 Thread Marcus Rueckert
On Tue, 19 Dec 2017 17:13:10 +
Matthew Broadhead  wrote:

> does anyone know of a linux module (maybe similar to fail2ban) that 
> could be installed which would monitor email logs (sign ins) and
> alert the user to any suspicious activity on their account?  i
> suspect it would need to log geo location, device type and ip address
> to a database.  it seems like a module like this would be very useful
> and should exist already?  thanks in advance

https://github.com/PowerDNS/weakforced

-- 
  openSUSE - SUSE Linux is my linux
  openSUSE is good for you
  www.opensuse.org


Re: detect suspicious logins

2017-12-20 Thread @lbutlr


> On 19 Dec 2017, at 10:13, Matthew Broadhead  
> wrote:
> 
> does anyone know of a linux module (maybe similar to fail2ban) that could be 
> installed which would monitor email logs (sign ins) and alert the user to any 
> suspicious activity on their account?

Fail2ban can protect email logins. Alerting a user because random IP in Korean 
Middle School tried to login seems no helpful.

> i suspect it would need to log geo location, device type and ip address to a 
> database.  it seems like a module like this would be very useful

How?

Blacklist failed logins. That protects everyone and doesn't induce panic.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



detect suspicious logins

2017-12-19 Thread Matthew Broadhead
does anyone know of a linux module (maybe similar to fail2ban) that 
could be installed which would monitor email logs (sign ins) and alert 
the user to any suspicious activity on their account?  i suspect it 
would need to log geo location, device type and ip address to a 
database.  it seems like a module like this would be very useful and 
should exist already?  thanks in advance