HIDS 9953

From Atomicorp Wiki
Revision as of 12:54, 24 September 2014 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Rule 9953
Status Active
Alert Message VPOPMAIL brute force (empty password).

Contents

[edit] Description

ASL has detected multiple failed attempts to access a vpopmail user account. This generally indicates that an attacker is trying to brute force mail accounts on this system or trying to find accounts on the system to spam or send malware. This rule specifically looks for 8 failed attempts in 240 seconds.

[edit] Troubleshooting

[edit] Solutions

We do not recommend you disable this rule. You could whitelist the IP, but the best solution is to fix the invalid username and/or password for the user.

If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no". We do not recommend you disable active response on this rule, as this method is widely used to brute force mail accounts or to find email addresses to spam.

[edit] False Positives

The rule itself can not generate a false positive, the rule just reports when multiple login failures happen from a single IP. If this event is not an attack, then this means the enduser has an invalid username and/or password configured for the service. The best solution to this problem is to have the user fix their username and/or password so its valid.

Please do not report this as a false positive unless ASL is incorrectly reporting an event that is not a login failure for your mail server. To report a false positive, please follow this process:

https://www.atomicorp.com/wiki/index.php/Reporting_False_Positives

[edit] Additional Information

[edit] Similar Rules

HIDS_9951

HIDS_9952

[edit] Knowledge Base Articles

None.

[edit] External Articles

None.

Personal tools