Accounts Locked Out

[mito]

Greetings,

I'm having a problem where random accounts are being locked out on a daily basis. At first I thought people were just being stupid all at the same time, but now I've ruled out that possibility. Among the list of people who are locked out are users that don't have a person that checks them, either because the account is there for the ability to send mail only, the person has all mail redirected to another account, and some even where the person doesn't even know that they have an email address yet (a newly hired employee had his account locked out before he even knew he had been hired).

These have been found by litterally going through and checking each account to see if they are locked out or not. Something, as you can imagine, that is very time consuming... but it has had to be done daily for the last two weeks so that people can get into their email properly.

My thought was that maybe when they login they were having problems and the website automatically retried the login, but then I realized that even if that happened once, it wouldn't happen 5 times (which my login failure count is 5 before being locked out). Then there is the accounts that don't have a person to login to them in the first place that have been locked out...

My next thought was that maybe it's someone trying to guess usernames and passwords, which I was starting to think was a real possibility, until there was the person who never even knew he had an account, therefore no mail had ever been sent out or received. The hacker would have had to guess his username to be able to try it, which wouldn't have been guessable as his last name is very not-normal.

The number of accounts seems to be going down slightly, but I'm not sure if that has any meaning... The first week there were about 10 accounts daily, last week 9 accounts daily, and today 8 accounts locked out.

So.. has anyone had any problems like this, or any ideas on where I should look to be able to find a reason as to why these accounts are being locked?

Also, due to my problems of not being able to get into the SAC reliably, this gets extra-annoying because if someone reports that their account is locked out, I either have to restart the scalix-tomcat service which kicks everyone out of their webmail, or I have to wait until morning (I added restarting the service to the nightly maintenance cycle), neither of which is acceptable, especially when the request comes in at 10am or so!

Thanks for your thoughts!
Mito

[grahamk]

I have no idea why this might be happening, but something which should help you is:

ommodu username -k

This command will unlock an account from the CLI.

[grahamk]

also, use this command to show all accounts which are currently locked:

omshowu -m mailnode -l

[mito]

Anyone have any ideas as to what could be going on here?

It's still going on, one day I had as many as 17 users locked.

Does anyone know where is there a log that shows why the account became locked and when?

[mikethebike]

use omconfaud to set the audit logging level....maybe "omconfaud rci 9"

That will log signins (successful or failure), signouts and duration. That should giev a clue as to when the accounts were locked out.

If successful signin, audit wiull report

signon-status 0

if bad password, audit will report

signon-status 655

Look in ~/sys/audit.cfg to see location of audit log (user-agent signon and signoff records).

Also check the number of invalid attempts before lockout (omshowpwd).

Mick

[mito]

use omconfaud to set the audit logging level....maybe "omconfaud rci 9"

That will log signins (successful or failure), signouts and duration. That should giev a clue as to when the accounts were locked out.

If successful signin, audit wiull report

signon-status 0

if bad password, audit will report

signon-status 655

Look in ~/sys/audit.cfg to see location of audit log (user-agent signon and signoff records).

Also check the number of invalid attempts before lockout (omshowpwd).

Mick

Thanks for the info! I updated the audit level (after I ran the command I realized i should have asked it what it's current level was first though) and then checked the cfg file for the log location. I checked the log and it's empty, even though I had just logged out and back in while it should have been logging it. I'm guessing that I need to restart the services for this to take effect?

If so, I'll have to wait to be able to restart it. Also, any idea what the default audit level is?

Thanks again!

Oh, and the password attempts was set as I expected, at 5 invalid attempts.

[mikethebike]

It should start logging right away, no need to stop/start the service.
I think the default is usually 5.

[mito]

It should start logging right away, no need to stop/start the service.
I think the default is usually 5.

Now after checking the log again, others have been logged. Maybe the service just hadn't noticed I made the change yet? I logged in within a minute of my changing the level.

Sounds good now though, I'll just have to wait and see what's going on! I honestly don't think that it's a legitimate lockout from invalid attempts, but I am very happy to watch and check that.

Thanks again!

[mikethebike]

Maybe the user leaves their PC logged in with some automatic email logins? You should get an idea...hopefully :wink:

[mito]

Actually, it looks like something a little weird is going on.

I noticed that there is only one login and logoff in the log sofar, so I decided to logout and in again, so I did, and it didn't log it. I thought that maybe it's just because I'm an admin or something, so I logged in as a different user, and that didn't get logged either. So then I purposefully tried to login with a bogus username, and then a valid username with a bogus password. None of these are logged in the audit?

The one entry that is in the audit is a scalix connect login, and I'm testing this all with the webmail...

Here is this portion of my audit.cfg file:

Code: Select all

# user-agent signon
%  3 user-signon            ~/logs/audit
 1 time                     1
10 user-agent-id            7
20 user                     1
22 designate-user           1
23 delegate-user            1
24 mboxadmin-authenticator  1
25 client-type              9
30 signon-status            1
35 referral-host            1
40 client-ip                            1

# user-agent signoff
%  4 user-signoff           ~/logs/audit
 1 time                     1
10 user                     1
12 designate-user           1
20 duration                 7
30 signoff-status           5



Thanks again!

[mito]

Maybe the user leaves their PC logged in with some automatic email logins? You should get an idea...hopefully :wink:

If it were one user that would make sense, but it's always different users, and sometimes it's addresses that don't even have users (an email address created only for the purposes of being able to send email from an address, etc).

Back to the log, should I try to raise the audit level? to 10 maybe?

[mikethebike]

I am not sure if webmail logins would show up....what does your "omstat -s" show? Any users logged into "Remoe Client Interface"?

Mick

[mito]

I am not sure if webmail logins would show up....what does your "omstat -s" show? Any users logged into "Remoe Client Interface"?

Mick

It shows 28 right now...

[mikethebike]

OK, they are probably being logged OK
I do not think the webmail connections will be seen. Look further down the audit.cfg file, you will only record limited info for webmail connections.

You could check the user's userlist entry to see if the password attempts have been reached (omsearch -d userlist -t h -e s=smith -m UL-BADPWD=0)

i think you should check which ones get locked out, and whether there are any entries in the audit log.


Mick

[ametade]

Hi there,

I'm having the same problem with half of the email accounts mysteriously locked at a Scalix 11.1.0 server. Did anybody managed to understand this strange problem?