Password brute force protection on the webmail
Question asked by Charles Michel - December 17, 2016 at 2:59 AM
Answered
I can see that there are settings to protect Smartermail against a brute force attack on various protocols (smtp, imap, etc). But I do not see the webmail or activesync in the list. What is the brute force protection for either of these two interfaces?

14 Replies

Reply to Thread
1
Adding his comment just so that the question doesn't go unnoticed. I have a server under brute force attack, I would like to know that Smartermail doesn't let users try passwords indefinitely on the webmail and activesync interfaces.
1
eswanzey Replied
Marked As Answer
My understanding is that webmail's brute force protection is enabled by default via the web.config file, even though you don't see it being reported in the admin interface. You can review that file to see what limits are being imposed. You can of course alter it to your liking by editing the web.config file, though it will be overwritten on every update.
 
I'm not sure what you would expect in "protecting" activesync from some sort of brute force attack. That doesn't make sense to me because it is simply a feature addition to an account and I think that you are overthinking things on that item.
0
Thanks. The way I understand ActiveSync is that it is another protocol that happens to use https but is unrelated to the webmail (though stored in the same IIS website). So I am not assuming that whatever brute force protection applies to the webmail login form also applies to the authentication for ActiveSync. Perhaps it does but it would be nice to have confirmation from someone from Smartertools.

Do you happen to know the answer to the other question I asked on another thread: is there any way to spot failed connection attempts to the webmail? I am looking at the IIS logs but they don't seem to use http code to mark a failed attempts which means that nothing distinguishes a failed connection from a successful connection.
0
Hi Charles,

That would be the administrative log in SmarterMail "View Logs", select it from the pull down and hit search.

-dave
0
Found it. And if someone else is looking for it, it seems to be saved here: C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data\Logs

Thanks!
0
Though the administrative logs seems to only cover the webmail, not ActiveSync. I attempted to set up an ActiveSync account on my iphone with the right server but wrong credentials, and I do not see anything appearing in the Administrative log nor the ActiveSync log. I do see a 401 error in the IIS log for /Microsoft-Server-ActiveSync but it doesn't specify the login. But it will be good enough to monitor password brute force attempts.
0
Charles,

Yep, I noticed that too, I cannot find any failures being logged for ActiveSync, I have some support tickets expiring at year end, so I might use one up on making sure this gets fixed.

In the past we had to view those logs directly on the server, as of a few versions back we can now view them in the admin webmail itself, which was a nice addition! It used to only show the ones in the mail SmarterMail folder where the mail itself was stored, not the program files older.

Thanks!
-dave
0
Actually thinking about it, any webservice requires authentication and is potentially an attack vector to verify a login/password combination.

I have work to do checking these logs!
3
David Fisher Replied
Just wanted to update people following this thread, I have opened a ticket up with SmarterTools support, and verified with support that this is something that is not being logged.  The support rep will be meeting with the development team to find out why it is not being logged.
 
Will update you when I find more information out.
 
Thanks,
-dave
0
Assin Ontivi Replied
Thanks for calling this to their attention!!!!!
2
David Fisher Replied
Hi All,
 
  Here is an update, support got back to me this morning, after meeting with the developers.  They said this would be a "feature request", and not a bug, so they will file it with them to eventually add this type of logging into SmarterMail at a future date.
 
  Guess lack of logging is not considered a bug.  Just a security issue, but not a bug :)
 
-dave
 
0
I agree with you. I reported a similar issue and found them quite unconcerned about it.
0
David Fisher Replied
Hi,

I did hear back from SmarterTools Support this morning, they actually said they will address this issue and have it included in the next release of SmarterMail.

So that is cool!

-dave
1
Joe Dellaragione Replied
Have there been any updates on this? I am up to date on my SM install and I set all my BF settings to 5 attempts in 60 minutes and tried the wrong password 10 times via Activeasync and no accounts got locked and no notifications. 

Reply to Thread