Matthew Broadhead <matthew.broadhead@nbmlaw.co.uk> wrote:

...

does anyone know of a linux module (maybe similar to fail2ban) that could be installed which would monitor email logs (sign ins) and alert the user to any suspicious activity on their account?

I just monitor straight from the logs using homebrew utilties.

@lbutlr" <kremels@kreme.com>

Fail2ban can protect email logins. Alerting a user because random IP in Korean Middle School tried to login seems no helpful.

...

i suspect it would need to log geo location, device type and ip address to a database. it seems like a module like this would be very useful

How?

Blacklist failed logins. That protects everyone and doesn't induce panic.

I just went through a long thread elsewhere on this topic.

Fail2ban is mainly a counter brute force measure. If you have a strong password policy, the net result of using it is that it makes your logs smaller, and maybe saves some CPU cycles or from DoS for really intense bouts, but otherwise, does not add to security as good passwords makes BFD infeasible.

*However*, if the attacker knows the approximate password (e.g. shoulder surfing), this may help, but eventually, the password will succumb to a patient diligent attack.

What the OP is considering is if the password is divulged e.g. phishing attack or snarfed from another source. In this case, an intruder's authentication will succeed immediately. If a monitor spots someone authenticating from another continent than where the owner is supposed to be, or from 2 locations thousands of miles apart, or from 5 different location simultaneously, or tried to send a huge number of messages with many bounces, or was using a different mail clients that one historically used), it can signal the admin/user for further investigation.

For users, I think reporting a login origin audit will be helpful, regardless of circumstances. However, it should be done out of band, if the assumption is someone else has control of the account.

Joseph Tam <jtam.home@gmail.com>