detect suspicious logins

Joseph Tam jtam.home at gmail.com
Thu Dec 21 03:13:14 EET 2017 

Matthew Broadhead <matthew.broadhead at nbmlaw.co.uk> wrote:

>> does anyone know of a linux module (maybe similar to fail2ban) that
>> could be installed which would monitor email logs (sign ins) and alert
>> the user to any suspicious activity on their account?

I just monitor straight from the logs using homebrew utilties.

@lbutlr" <kremels at kreme.com>

> Fail2ban can protect email logins.  Alerting a user because random IP
> in Korean Middle School tried to login seems no helpful.
>
>> i suspect it would need to log geo location, device type and ip
>> address to a database.  it seems like a module like this would be very
>> useful
>
> How?
>
> Blacklist failed logins. That protects everyone and doesn't induce panic.

I just went through a long thread elsewhere on this topic.

Fail2ban is mainly a counter brute force measure.  If you have a strong
password policy, the net result of using it is that it makes your logs
smaller, and maybe saves some CPU cycles or from DoS for really intense
bouts, but otherwise, does not add to security as good passwords makes
BFD infeasible.

*However*, if the attacker knows the approximate password (e.g.
shoulder surfing), this may help, but eventually, the password will
succumb to a patient diligent attack.

What the OP is considering is if the password is divulged e.g.  phishing
attack or snarfed from another source.  In this case, an intruder's
authentication will succeed immediately.  If a monitor spots someone
authenticating from another continent than where the owner is supposed
to be, or from 2 locations thousands of miles apart, or from 5 different
location simultaneously, or tried to send a huge number of messages with
many bounces, or was using a different mail clients that one historically
used), it can signal the admin/user for further investigation.

For users, I think reporting a login origin audit will be helpful,
regardless of circumstances.  However, it should be done out of band,
if the assumption is someone else has control of the account.

Joseph Tam <jtam.home at gmail.com>

More information about the dovecot mailing list