Back to Community Threads
7
Password brute force protection on the webmail
Question asked by Charles Michel - 12/17/2016 at 2:59 AM
Answered
I can see that there are settings to protect Smartermail against a brute force attack on various protocols (smtp, imap, etc). But I do not see the webmail or activesync in the list. What is the brute force protection for either of these two interfaces?

14 Replies

Reply to Thread
1
Charles Michel Replied
12/20/2016 at 1:47 AM
Adding his comment just so that the question doesn't go unnoticed. I have a server under brute force attack, I would like to know that Smartermail doesn't let users try passwords indefinitely on the webmail and activesync interfaces.
1
eswanzey Replied
12/20/2016 at 7:32 PM
Marked As Answer
My understanding is that webmail's brute force protection is enabled by default via the web.config file, even though you don't see it being reported in the admin interface. You can review that file to see what limits are being imposed. You can of course alter it to your liking by editing the web.config file, though it will be overwritten on every update.
 
I'm not sure what you would expect in "protecting" activesync from some sort of brute force attack. That doesn't make sense to me because it is simply a feature addition to an account and I think that you are overthinking things on that item.
0
Charles Michel Replied
12/21/2016 at 9:16 AM
Thanks. The way I understand ActiveSync is that it is another protocol that happens to use https but is unrelated to the webmail (though stored in the same IIS website). So I am not assuming that whatever brute force protection applies to the webmail login form also applies to the authentication for ActiveSync. Perhaps it does but it would be nice to have confirmation from someone from Smartertools.

Do you happen to know the answer to the other question I asked on another thread: is there any way to spot failed connection attempts to the webmail? I am looking at the IIS logs but they don't seem to use http code to mark a failed attempts which means that nothing distinguishes a failed connection from a successful connection.
0
David Fisher Replied
12/21/2016 at 11:16 AM
Hi Charles,

That would be the administrative log in SmarterMail "View Logs", select it from the pull down and hit search.

-dave
0
Charles Michel Replied
12/21/2016 at 11:44 AM
Found it. And if someone else is looking for it, it seems to be saved here: C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data\Logs

Thanks!
0
Charles Michel Replied
12/21/2016 at 11:52 AM
Though the administrative logs seems to only cover the webmail, not ActiveSync. I attempted to set up an ActiveSync account on my iphone with the right server but wrong credentials, and I do not see anything appearing in the Administrative log nor the ActiveSync log. I do see a 401 error in the IIS log for /Microsoft-Server-ActiveSync but it doesn't specify the login. But it will be good enough to monitor password brute force attempts.
0
David Fisher Replied
12/21/2016 at 12:37 PM
Charles,

Yep, I noticed that too, I cannot find any failures being logged for ActiveSync, I have some support tickets expiring at year end, so I might use one up on making sure this gets fixed.

In the past we had to view those logs directly on the server, as of a few versions back we can now view them in the admin webmail itself, which was a nice addition! It used to only show the ones in the mail SmarterMail folder where the mail itself was stored, not the program files older.

Thanks!
-dave
0
Charles Michel Replied
12/22/2016 at 5:28 AM
Actually thinking about it, any webservice requires authentication and is potentially an attack vector to verify a login/password combination.

I have work to do checking these logs!
3
David Fisher Replied
1/5/2017 at 10:22 AM
Just wanted to update people following this thread, I have opened a ticket up with SmarterTools support, and verified with support that this is something that is not being logged.  The support rep will be meeting with the development team to find out why it is not being logged.
 
Will update you when I find more information out.
 
Thanks,
-dave
0
Assin Ontivi Replied
1/5/2017 at 5:10 PM
Thanks for calling this to their attention!!!!!
2
David Fisher Replied
1/9/2017 at 10:33 AM
Hi All,
 
  Here is an update, support got back to me this morning, after meeting with the developers.  They said this would be a "feature request", and not a bug, so they will file it with them to eventually add this type of logging into SmarterMail at a future date.
 
  Guess lack of logging is not considered a bug.  Just a security issue, but not a bug :)
 
-dave
 
0
Charles Michel Replied
1/9/2017 at 11:13 AM
I agree with you. I reported a similar issue and found them quite unconcerned about it.
0
David Fisher Replied
1/10/2017 at 3:50 PM
Hi,

I did hear back from SmarterTools Support this morning, they actually said they will address this issue and have it included in the next release of SmarterMail.

So that is cool!

-dave
1
Joe Dellaragione Replied
1/29/2018 at 7:10 AM
Have there been any updates on this? I am up to date on my SM install and I set all my BF settings to 5 attempts in 60 minutes and tried the wrong password 10 times via Activeasync and no accounts got locked and no notifications. 
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Setting Up Two-Step Authentication (2FA, MFA, etc.)SmarterMail > Desktop and Mobile Synchronization
Force Webmail Traffic Over HTTPSSmarterMail > Server Configuration and Management
Force Traffic Over HTTPS when using a Reverse ProxySmarterMail > Server Configuration and Management
Google Safe Browsing Warning and SmarterMailSmarterMail > Troubleshooting
Spam and Security Checks for IPv6 SystemsSmarterMail > Antispam and Antivirus