1
Local customer caught in IDS Block three times
Question asked by Montague WebWorks - 11/10/2022 at 8:50 AM
Unanswered
I have a local customer with 15 users and yesterday they started getting caught in my IDS Blocks. I freed them up, and a couple hours later they got caught again. I freed them up again and this morning they got caught again. I'm not going to free them up again until I figure out what's going on. This is a first-time occurrence for them, and I've been hosting them for over a decade.

"The IDS rule, Default POP DoS, has been triggered by 50.79.171.81. Detection Type: DenialOfService"

I've looked through the logs and there's nothing in the POP log. It's essentially empty. I was hoping to find IP numbers of POP clients, logins, etc., so I could see which specific machine in their office had gone rogue.

I've looked through all the reports, and while there are some excellent charts showing that there has been an uptick in IDS blocks in the past two days, as well as POP sessions, there is no further, deeper info to help figure out the specific issue. Unless I'm just not seeing it.

We really could use some improved log analytics so stuff like this isn't unattainable.

Thanks for any help.
Mik MullerMontague WebWorks

4 Replies

Reply to Thread
0
Tony Scholz Replied
Employee Post
Hello Mik, 

The first thing we will wan to do is to make sure that the PO logs are set to detailed. If they are exception only it would not show this information. 

Manage -> Troubleshooting -> Options [tab]

Here you can find the POP log and set to detailed ( save ) Now you should be getting some details on login attempts. Emails pulled down, the entire POP session. 

There is one other place you can look for now that will have less details. You can search the Administrative logs  for the IP address, This will show all login and connection attempts from that IP ( make sure this log is also set to detailed, if not adjust and wait for the issue to recur ) 

EDIT: We are currently reviewing and reworking the logging around this as well. 

Hope this helps to start your review. 

Thank you 
Tony
Tony Scholz System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Montague WebWorks Replied
Ah! Thanks. I was trying to figure out where the logging was set. I'll open the gates again and see what transpires. 

BTW, looking at the Administrative logs, what does 'calling patch message' mean?
Mik MullerMontague WebWorks
0
Montague WebWorks Replied
Found one user's machine was attempting SMTP every seven minutes, even overnight.
Mik MullerMontague WebWorks
0
Tony Scholz Replied
Employee Post
"Calling Patch Message" means that something about that message was changed and we are saving the change that was made. ( reply, moved, etc.. ) 
Tony Scholz System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com

Reply to Thread