detect suspicious logins

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

detect suspicious logins

chongma
does anyone know of a linux module (maybe similar to fail2ban) that
could be installed which would monitor email logs (sign ins) and alert
the user to any suspicious activity on their account?  i suspect it
would need to log geo location, device type and ip address to a
database.  it seems like a module like this would be very useful and
should exist already?  thanks in advance
Reply | Threaded
Open this post in threaded view
|

RE: detect suspicious logins

Fazzina, Angelo
I bet I could get something like that going easily, as my logs goto Splunk.  Just not the biggest fire to put out at the moment.


-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Matthew Broadhead
Sent: Tuesday, December 19, 2017 12:02 PM
To: [hidden email]
Subject: detect suspicious logins

does anyone know of a linux module (maybe similar to fail2ban) that
could be installed which would monitor email logs (sign ins) and alert
the user to any suspicious activity on their account?  i suspect it
would need to log geo location, device type and ip address to a
database.  it seems like a module like this would be very useful and
should exist already?  thanks in advance
Reply | Threaded
Open this post in threaded view
|

Re: detect suspicious logins

Wietse Venema
In reply to this post by chongma
Matthew Broadhead:
> does anyone know of a linux module (maybe similar to fail2ban) that
> could be installed which would monitor email logs (sign ins) and alert
> the user to any suspicious activity on their account?  i suspect it
> would need to log geo location, device type and ip address to a
> database.  it seems like a module like this would be very useful and
> should exist already?  thanks in advance

Use postfwd to rate-limit email volume by sasl_username, to limit
the impact from a 'stolen' password.
http://postfwd.org/ratelimits.html

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: detect suspicious logins

Phil Stracchino
In reply to this post by chongma
On 12/19/17 12:01, Matthew Broadhead wrote:
> does anyone know of a linux module (maybe similar to fail2ban) that
> could be installed which would monitor email logs (sign ins) and alert
> the user to any suspicious activity on their account?  i suspect it
> would need to log geo location, device type and ip address to a
> database.  it seems like a module like this would be very useful and
> should exist already?  thanks in advance


Sounds like you should be looking at intrusion detection systems.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: detect suspicious logins

lists@lazygranch.com
http://www.linux-mag.com/id/7807/
By some miracle, I manage to get swatch to monitor my web log, but basically it can read any log. In my case, I gave the annoying "jorgee" infected IP addresses a three minute lockout, which is enough to make them attack another server.

Swatch has no user group I could find, and it requires understanding regular expressions. Hence my miracle comment.

For my VPS for which I am the only customer, I geographically block all countries that I don't plan on occupying from all email ports other than 25. I get a few hackers a week, all from the very VPS vendor I use because I don't  block them.


  Original Message  
From: [hidden email]
Sent: December 19, 2017 9:37 AM
To: [hidden email]
Subject: Re: detect suspicious logins

On 12/19/17 12:01, Matthew Broadhead wrote:
> does anyone know of a linux module (maybe similar to fail2ban) that
> could be installed which would monitor email logs (sign ins) and alert
> the user to any suspicious activity on their account?  i suspect it
> would need to log geo location, device type and ip address to a
> database.  it seems like a module like this would be very useful and
> should exist already?  thanks in advance


Sounds like you should be looking at intrusion detection systems.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958