CheckAuthLog FAQ: Difference between revisions
No edit summary |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
===Q. What are the prerequisites for CheckAuthLog?=== | ===Q. What are the prerequisites for CheckAuthLog?=== | ||
PHP version 5 with DBA and mysql extensions. | * PHP version 5 with DBA and mysql extensions. | ||
* Oracle Berkley DB 4 or 5 | |||
The use of the mysql extension means that it will not work with the upcoming PHP 7 release until the code has been migrated to mysqli. | The use of the mysql extension means that it will not work with the upcoming PHP 7 release until the code has been migrated to mysqli. | ||
Line 11: | Line 12: | ||
While CheckAuthLog is useful to detect strange patterns of email sending that could indicate stolen email credentials being used to send spam, one way of helping to avoid stolen email credentials is to slow down and block dictionary attacks on passwords. | While CheckAuthLog is useful to detect strange patterns of email sending that could indicate stolen email credentials being used to send spam, one way of helping to avoid stolen email credentials is to slow down and block dictionary attacks on passwords. | ||
Fail2ban parses log files and can be configured to block internet traffic from ip addresses that have made more than a configurable number of authentication errors. | [http://www.fail2ban.org Fail2ban] parses log files and can be configured to block internet traffic from ip addresses that have made more than a configurable number of authentication errors. | ||
====Define and enforce a strong password policy==== | ====Define and enforce a strong password policy==== | ||
Line 19: | Line 20: | ||
====Have a safe method for password recovery==== | ====Have a safe method for password recovery==== | ||
Avoid methods which contain easily to guess questions that provide access to the account or that communicate new credentials via an insecure method to | Avoid methods which contain easily to guess questions that provide access to the account or that communicate new credentials via an insecure method to unverified users. | ||
====Only use encrypted connections==== | ====Only use encrypted connections==== | ||
Line 27: | Line 28: | ||
====Set up rate limiting in the MTA==== | ====Set up rate limiting in the MTA==== | ||
In order to avoid hackers/spammers getting round the login limit by sending excess multiple messages within a single smtp connection, it is worthwhile setting up rate limits (for example smtpd_client_message_rate_limit parameter on | In order to avoid hackers/spammers getting round the login limit by sending excess multiple messages within a single smtp connection, it is worthwhile setting up rate limits (for example smtpd_client_message_rate_limit parameter on Postfix) to a value which will not interfere with normal mail sending, but that will stop a hacker/spammer sending infinite messages with one smtp connection. | ||
===Q. How efficient is the log file scanning=== | ===Q. How efficient is the log file scanning=== | ||
The program parses the log file incrementally so can be run as a cron job as often as needed without rereading lines already processed. In the case of log rotation, the script notices the changed file and reads the last | The program parses the log file incrementally so can be run as a cron job as often as needed without rereading lines already processed. In the case of log rotation, the script notices the changed file and reads the last lines of the rotated log and then starts from the new log file. The ability to read the rotated log file depends on it having a standardized name. | ||
The log file scanning has been optimized in the latest version. | The log file scanning has been optimized in the latest version 3.0.0. | ||
===Q. When reporting a problem what information should I provide?=== | ===Q. When reporting a problem what information should I provide?=== | ||
Please see [[CheckAuthLog Support|here]] | Please see [[CheckAuthLog Support|here]] |
Latest revision as of 03:07, 15 June 2016
Q. What are the prerequisites for CheckAuthLog?
- PHP version 5 with DBA and mysql extensions.
- Oracle Berkley DB 4 or 5
The use of the mysql extension means that it will not work with the upcoming PHP 7 release until the code has been migrated to mysqli.
Q. What other things can I do to improve security?
Use Fail2ban
While CheckAuthLog is useful to detect strange patterns of email sending that could indicate stolen email credentials being used to send spam, one way of helping to avoid stolen email credentials is to slow down and block dictionary attacks on passwords.
Fail2ban parses log files and can be configured to block internet traffic from ip addresses that have made more than a configurable number of authentication errors.
Define and enforce a strong password policy
Depending on the software being used, you may be able to set up and enforce policies about the length and characters to be used in a password and about how frequently it must be changed.
Have a safe method for password recovery
Avoid methods which contain easily to guess questions that provide access to the account or that communicate new credentials via an insecure method to unverified users.
Only use encrypted connections
It is recommended that all connections for reading and sending email are authenticated across a strongly encrypted connection. That drastically reduces the risk of the password being read by a third party while it is in transit on the network.
Set up rate limiting in the MTA
In order to avoid hackers/spammers getting round the login limit by sending excess multiple messages within a single smtp connection, it is worthwhile setting up rate limits (for example smtpd_client_message_rate_limit parameter on Postfix) to a value which will not interfere with normal mail sending, but that will stop a hacker/spammer sending infinite messages with one smtp connection.
Q. How efficient is the log file scanning
The program parses the log file incrementally so can be run as a cron job as often as needed without rereading lines already processed. In the case of log rotation, the script notices the changed file and reads the last lines of the rotated log and then starts from the new log file. The ability to read the rotated log file depends on it having a standardized name.
The log file scanning has been optimized in the latest version 3.0.0.
Q. When reporting a problem what information should I provide?
Please see here