On 12/7/23 16:22, Hengga KMN wrote:
Setelah saya cek di smtp-in log (lengkap di lampiran email - diambil
yg ada kata: " [email protected]"),
ada kesimpulan berikut dari saya, dari log waktu kejadian yg saya
rangkum simpel di bawah ini:
Wed 2023-12-06 23:24:13.798: Accepting SMTP connection from 66.96.225.135:58322
to 172.16.24.23:465
Wed 2023-12-06 23:25:06.902: Accepting SMTP connection from 66.96.225.92:58363
to 172.16.24.23:465
Wed 2023-12-06 23:26:58.500: Accepting SMTP connection from 66.96.225.94:58421
to 172.16.24.23:465
Wed 2023-12-06 23:32:32.027: Accepting SMTP connection from 66.96.225.155:58646
to 172.16.24.23:465
Wed 2023-12-06 23:37:06.702: Accepting SMTP connection from 66.96.225.69:58839
to 172.16.24.23:465
Wed 2023-12-06 23:37:26.062: Accepting SMTP connection from 66.96.225.179:58848
to 172.16.24.23:465
Wed 2023-12-06 23:37:26.604: --> 550 5.7.0 Too many devices in too short a time
frame
Wed 2023-12-06 23:37:26.605: Hijack detection has frozen
[email protected]
account (too many devices in too short time)
Wed 2023-12-06 23:37:26.607: SMTP session terminated (Bytes in/out:
993/1261)
Wed 2023-12-06 23:55:58.895: Accepting SMTP connection from
66.96.225.186:59457 to 172.16.24.23:465
Setiap koneksi dari user, selalu menampakkan IP yang berbeda-beda.
Sehingga hijack protection mengganggap ada lebih dari 5 devices dalam 30
menit mencoba akses akun yang sama.
Aneh juga kenapa koneksi dari user selalu menampilkan IP berbeda,
padahal koneksi yang sama di waktu yang tidak berbeda jauh.
Kemungkinan itu koneksi itu lewat smtp-proxy milik provider broadband
(myrepublic).
Saya test pakai koneksi myrepublic dirumah, IP saya tidak berubah-ubah
yang artinya bypass smtp-proxy dari provider.
User [email protected] pakai email client apa?
Bisakah diubah outgoing smtp nya pakai port 587/TLS bukan pakai port
465/SSL?
Apakah ada saran konfig hijack detection yang baiknya di gunakan?
Bisa non aktifkan Limit access to [xx] connections from differing IPs in
[xx] minutes
http://mdaemon.dutaint.co.id/mdaemon/23.5/security--hijack_detection.html
[ ] Limit access to [xx] connections from differing IPs in [xx] minutes
Use this option to limit the number of connections from different IP
addresses allowed within the specified number of minutes. For example,
in normal circumstances if your account is accessed from ten different
IP addresses within just a few minutes, it is likely the account has
been hijacked. This option is disabled by default.
dan, opsional, ubah di dynamic screening.
http://mdaemon.dutaint.co.id/mdaemon/23.5/dynamic-screening_auth-failure-tracking.html
aktifkan menu berikut
[x] Ignore authentication attempts using identical passwords
This option applies to the IP Address Blocking Options and to the
Account Freezing Options below. By default, when an authentication
attempt fails, subsequent authentication attempts will be ignored when
using the same password. They will not count against the number of
failures allowed before blocking the IP address or freezing the account.
Multiple attempts using the same, incorrect password typically occur
when, for example, the user's email password has changed or expired and
their client is automatically attempting to log in using the old one.
dan disable
[ ] Freeze accounts that fail authentication [xx] times within [xx]
[Minutes | Hours | Days]
--
syafril
--------
Syafril Hermansyah
MDaemon-L Moderators, running MDaemon 23.5.1
Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon.
Never give up on anything.
If you fail, try, try and try again.
You are learning the best ways of doing things.
--- Lailah Gifty Akita
--
--[mdaemon-l]----------------------------------------------------------
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia
Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.com
Berlangganan: Kirim mail ke [email protected]
Henti Langgan: Kirim mail ke [email protected]
Versi terakhir: MDaemon 23.5.1, SecurityGateway 9.5.1
