CheckAuthLog FAQ
Q. What are the prerequisites for CheckAuthLog?
PHP version 5 with DBA and mysql extensions.
The use of the mysql extension means that it will not work with the upcoming PHP 7 release until the code has been migrated to mysqli.
Q. What other things can I do to improve security?
Use Fail2ban
While CheckAuthLog is useful to detect strange patterns of email sending that could indicate stolen email credentials being used to send spam, one way of helping to avoid stolen email credentials is to slow down and block dictionary attacks on passwords.
Fail2ban parses log files and can be configured to block internet traffic from ip addresses that have made more than a configurable number of authentication errors.
Define and enforce a strong password policy
Depending on the software being used, you may be able to set up and enforce policies about the length and characters to be used in a password and about how frequently it must be changed.
Have a safe method for password recovery
Avoid methods which contain easily to guess questions that provide access to the account or that communicate new credentials via an insecure method to unverifiable users.
Only use encrypted connections
It is recommended that all connections for reading and sending email are authenticated across a strongly encrypted connection. That drastically reduces the risk of the password being read by a third party while it is in transit on the network.
Set up rate limiting in the MTA
In order to avoid hackers/spammers getting round the login limit by sending excess multiple messages within a single smtp connection, it is worthwhile setting up rate limits (for example smtpd_client_message_rate_limit parameter on postfix) to a value which will not interfere with normal mail sending, but that will stop a hacker/spammer sending infinite messages with one smtp connection.
Q. How efficient is the log file scanning
The program parses the log file incrementally so can be run as a cron job as often as needed without rereading lines already processed. In the case of log rotation, the script notices the changed file and reads the last line of the rotated log and then starts from the new log file. The ability to read the rotated log file depends on it having a standardized name.
The log file scanning has been optimized in the latest version 3.0.0.
Q. When reporting a problem what information should I provide?
Please see here