option to show failed passwords in the log
I have v13.6.2.
When a user tries to log in with an incorrect password the log just shows
**** for the password.
In my case this is most commonly due to brute force attack and not due to legitimate users trying to log on.
Is there any way to get the log to show the password attempts as it did in earlier versions, so that I can ***** the effectiveness of the attack.
Previously they would be simple dictionary attacks for generic user names, but now come as a few attempts from Russia and Ukraine from various IP's and targeted at real user names. I need to know if the attempted passwords are close to our current password policy.
Failing this I would suggest a new stratagy, as the attacker switches IP when they are locked out, probably the task is passed onto the next member of a botnet, if I could block the IP but not tell the attacker that they were blocked (simply reply wrong password) then they would exhaust their attack thinking that all passwords had failed even if they do hit the right password. A genuine user would not attempt more that 10 passwords before giving up and contacting support.
Matt
shared this idea
Hello Matt,
Unfortunately without additional information we will not be able to consider your request for future versions of MDaemon.
Thanks,
Arron
-
Verner
commented
Using a different username will improve the security a lot.
Pls. consider adding a username dialog to the account settings.
-
Chris
commented
How is the above request by Matt not giving enough information? +1 this is an excellent feature request. Allowing to specify a mailbox username rather than using the email address would also help.