Re: detect suspicious logins
Matthew Broadhead <matthew.broadhead@nbmlaw.co.uk> wrote:
I just monitor straight from the logs using homebrew utilties.
@lbutlr" <kremels@kreme.com>
I just went through a long thread elsewhere on this topic.
Fail2ban is mainly a counter brute force measure. If you have a strong password policy, the net result of using it is that it makes your logs smaller, and maybe saves some CPU cycles or from DoS for really intense bouts, but otherwise, does not add to security as good passwords makes BFD infeasible.
*However*, if the attacker knows the approximate password (e.g. shoulder surfing), this may help, but eventually, the password will succumb to a patient diligent attack.
What the OP is considering is if the password is divulged e.g. phishing attack or snarfed from another source. In this case, an intruder's authentication will succeed immediately. If a monitor spots someone authenticating from another continent than where the owner is supposed to be, or from 2 locations thousands of miles apart, or from 5 different location simultaneously, or tried to send a huge number of messages with many bounces, or was using a different mail clients that one historically used), it can signal the admin/user for further investigation.
For users, I think reporting a login origin audit will be helpful, regardless of circumstances. However, it should be done out of band, if the assumption is someone else has control of the account.
Joseph Tam <jtam.home@gmail.com>
participants (1)
-
Joseph Tam