This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

View password of attempted login - UTM 9

Hi!

We have someone trying to log into smtp and we need to know if they are using old passwords or random passwords.

The logs don't show the passwords.

I tried setting our $debug_secrets = 1; in AuaConfig.pm but not really sure what that does.

Where can I find documentation on how to see the passwords being used to authenticate?

Thankyou.

-Paul

 



This thread was automatically locked due to age.
Parents
  • A well-designed system does not put passwords into log files.  If a legitimate user cannot log in, they can and should call for a password reset.  You may be able to capture what you want using tcpdump, if you know when the connection attempts are arriving, but I cannot imagine why you think this will be helpful.

    We detect many, many SMTP Authentication failures every day, from random devices looking for open relays or some other attack strategy.   Periodically, I identify the most annoying sources and then I blacklist the IP address.

    Your UTM should not allow authenticated SMTP/POP/IMAP to a UTM address.   Those function should be directed to your email server.

     

     

     

     

  • I will try TCPDUMP.

     

    To help you imagine why this would be helpful, if someone is trying to authenticate with a once valid password from a foreign country, then it wouldn't be a brute force attack.  It would mean they have other access already.

  • This would not be a proper role to use your UTM as a solution for - this would fall under a legitimate identity access and management (and preferably monitoring) solution instead. On the other hand, you should never need to know what password is being used, because once you know a credential is being attempted illegitimately (you already seem to know if the attempt is legitimate or not), then you know the credential being used; so, from that, you can deduce who needs to go change their credential just in case. Any unusual activity of a credential should prompt action on that credential just to ensure there is no "once valid password" - as soon as it is changed, it is no longer valid, as users should never be allowed to reuse passphrases.

Reply
  • This would not be a proper role to use your UTM as a solution for - this would fall under a legitimate identity access and management (and preferably monitoring) solution instead. On the other hand, you should never need to know what password is being used, because once you know a credential is being attempted illegitimately (you already seem to know if the attempt is legitimate or not), then you know the credential being used; so, from that, you can deduce who needs to go change their credential just in case. Any unusual activity of a credential should prompt action on that credential just to ensure there is no "once valid password" - as soon as it is changed, it is no longer valid, as users should never be allowed to reuse passphrases.

Children
No Data