Jump to content


Photo

Authentication Failure in Log


  • Please log in to reply
49 replies to this topic

#21 Brian Hoops

Brian Hoops
  • Members
  • 8 posts

Posted 05 March 2015 - 01:12 PM

Hi Brian,

 

While the request is still slated for 7.1, it won't be December currently. We anticipate around early spring 2015 currently 

 

Matthew, so this isn't in the 7.0 update that is in early release?  We still need to wait for 7.1?  

 

Any revised timeline for implementation?



#22 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 05 March 2015 - 01:13 PM

Hi Brian,

 

Not as of this time. We 're still hoping around spring, but this depends on the success of 7.0



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#23 Brian Hoops

Brian Hoops
  • Members
  • 8 posts

Posted 05 March 2015 - 01:24 PM

Hi Brian,

 

Not as of this time. We 're still hoping around spring, but this depends on the success of 7.0

 

Thanks for the update, but technically we already are "around spring" since it begins in 15 days. Hopefully this enhancement makes it to release soon.



#24 opjose

opjose
  • Members
  • 249 posts
  • LocationWashington D.C. Area

Posted 10 March 2015 - 12:55 PM

I registered to chime in that I also get these messages in my logs. Can't we have some type of function like flood control? It already has Rate Control for incoming emails, but nothing for authentication!

 

Honey Potting the sender may be more effective.

 

It will start slowing their attempts with each subsequent retry, effectively forcing them to give up and move along as their server grinds to a halt.

 

I had an older system with this feature and it almost eliminated all false authentication attempts.

 

I've had to turn off ALL inbound e-mail relaying, even from authenticated clients, because we get hammered so badly with the Barracuda.



#25 Larry Bolhuis

Larry Bolhuis
  • Members
  • 1 posts

Posted 08 June 2015 - 03:07 PM

We opened a case with Barracuda last week and the guy we spoke with had no idea about this problem or that it was being worked on. He didn't even think barracuda could do anything about it.... 

So we finally coded our own solution to this although it's not pretty. After turning it on last night (6/7/2015) we have already blocked 7,000 IPs due to failed AUTH.  Of these exactly ONE was one of our customers so far.  Our solution is to route syslog to a server that looks for the failed AUTH entries in the log, strips out the IPS and after three failures updates a block list in our ASA firewalls.  

We were seeing waaay over 200,000 attempts per day and now see perhaps one every few minutes that makes it bast the ASA Blocks. Of course three of those and they join the ASA blocks.

In 15 hours the ASA has blocked 171,771 attempts. 



#26 alexlutor

alexlutor
  • Members
  • 2 posts

Posted 15 June 2015 - 10:38 AM

I just installed v7.0.0.004 and it's there! Yay!!



#27 Brian Hoops

Brian Hoops
  • Members
  • 8 posts

Posted 16 June 2015 - 08:30 AM

We're on v7.0.0.004 (2015-03-31) and rate control for authentication failures is most certainly not included.  Just this morning we had an IP run about 100 authentication attempts in quick succession.

 

Can you confirm what version you're running?



#28 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 16 June 2015 - 10:20 AM

Hello,

 

Rate control comes in prior to authentication failures so what you're seeing is normal. 



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#29 Ken Pohlman

Ken Pohlman
  • Members
  • 3 posts

Posted 20 August 2015 - 10:20 AM

Gentelmen.

 

Here we are at the end of summer 2015!  But I still get hundreds of Authentication failures from the same ip range /server farm daily.  Has this "Flood Control" been implemented?  

 

Ken



#30 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 20 August 2015 - 10:31 AM

Hi Ken,

 

Currently this is handled by the  rate control daemon that will prevent them from authenticating further untill further changes in the future



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#31 Rene Radomski

Rene Radomski
  • Members
  • 1 posts

Posted 03 February 2016 - 06:42 PM

I'm running 7.1.1.003 on my Spam Filter and I still see this. Will this be addressed anytime soon?



#32 Noah Sweeting

Noah Sweeting
  • Members
  • 1 posts

Posted 03 March 2016 - 11:23 AM

Any progress on this? Seems like it has been years in the making.



#33 Jerrod Koland

Jerrod Koland
  • Members
  • 2 posts

Posted 24 March 2016 - 09:04 AM

I am also wondering when this will be implemented. I see on average 40 authentication attempts per hour all day long with some spikes up to 800. I would think with the proliferation of attacks today that this would be a little higher on the radar for barracuda. Could we please get an update for when this might be resolved? I am sure that all admins want to be sure their systems are safe and secure and be able to go through logs with having these reports pop up throughout, especially when they are from recurring IPs.



#34 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 24 March 2016 - 11:23 AM

Hello all,

 

We appreciate your feed back on this tremendously. Higher severity concerns relating to performance and security fixes are taking priority and have pushed this back however we have not forgotten about this!



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#35 Caleb

Caleb
  • Members
  • 11 posts

Posted 01 April 2016 - 01:42 PM

Hello all,

 

We appreciate your feed back on this tremendously. Higher severity concerns relating to performance and security fixes are taking priority and have pushed this back however we have not forgotten about this!

 

Matthew, what is/are the feature request numbers for this? I have seen two different ones listed? BNSF-6029 & BNSF-20369

 

Thanks!



#36 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 01 April 2016 - 03:32 PM

Thank you for noticing that Caleb,

 

I closed out BNSF-6029 as a duplicate for BNSF-6029 which has been prioritized into a future build.



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#37 Mark Garner

Mark Garner
  • Members
  • 1 posts

Posted 12 May 2016 - 02:11 PM

Any updates on this topic? I have had a rash of these this past week, but they all look like they are coming from inside. I did manage to block the source IP at our firewall and that stopped it but more keep coming.

 

Below is the list from this week....

 

 

sprycel.arvixecloud.com[108.175.157.253]

7424

ip-222-73.dataclub.biz[46.183.222.73]

1990

unknown[89.248.171.165]

737

unknown[218.80.0.127]

706

200.175.61.224.static.gvt.net.br[200.175.61.224]

489

59-124-73-164.hinet-ip.hinet.net[59.124.73.164]

410

lputeaux-657-1-219-73.w80-14.abo.wanadoo.fr[80.14.138.73]

260

 

unknown[12.181.159.164]

219



#38 Richard Jensen

Richard Jensen
  • Members
  • 2 posts

Posted 06 June 2016 - 08:29 AM

I'm a little new to managing our company's spam firewall. I noticed a lot of these authentication failures in our outbound que.  When these exploit attempts come in is the proper action to block the originating IP address?



#39 opjose

opjose
  • Members
  • 249 posts
  • LocationWashington D.C. Area

Posted 06 June 2016 - 11:50 AM

I'm a little new to managing our company's spam firewall. I noticed a lot of these authentication failures in our outbound que.  When these exploit attempts come in is the proper action to block the originating IP address?

 

You can do that and it helps... however you'll go crazy trying to do this to each one.

 

I look for spammers/scammers hammering our anti-spam filter. e.g. any domain reporting over 2000+ or more attempts in a day, and I will block them at our FIREWALL (not the anti-spam system) so that they see no connectivity to our anti-spam system at all.

 

This has worked well. After a few months of doing this once a week or so, the most egregious scammer/spammers have gone away for us, though I keep monitoring things via e-mailed reports from the system.



#40 Richard Jensen

Richard Jensen
  • Members
  • 2 posts

Posted 08 June 2016 - 08:10 AM

Our Rate control is set for 50 per 30 minute block.  This morning I have 5000 "Deferred / Rate control from the same IP address.  Maybe Im reading the instructions wrong but I thought it would block that IP after 50 emails?