This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a way to include username in "[WARN-070] Too many failed logins" email notifications?

Hi all,

When a user repeatedly fails to login via VPN on our UTM, I have setup that I/Admin receive a notification about the incident and the consequently blocking of the ip.

However - the notification does not contain the userid which was used during the login attempt, which would be a great help for us, to be able to contact the user or even forward the message to the user, so that he/she are informed they are now blocked, and don't need to continue trying to get access until quarantine has ended.

So - is there a way to edit the notification, and have the username which was used, added to the notification sent together with the already mentioned IP of the user?

Cheers,
Henrik Holm Nielsen



This thread was automatically locked due to age.
  • Hej Henrik and welcome to the UTM Community!

    You can't add it to the notification, but you can search on the IP in the User Authentication log to find the user.

    From the command line, if you're using SSL VPN Remote Access, you could use the following to see the lines from today:

         grep openvpn /var/log/aua.log|grep failed|more

    Cheers  - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA