Kopano - interpret mail.log entries

FrankM · July 4, 2019, 8:08am

Dear all,

I regularly check the /var/log/mail.log file and don’t understand below attached entries.
I assume a script from some external server is trying to login with some default values.
My question:
How can I determine the IP address of the ‘attacking’ server.
How do I know which plugin is used to logon, so what kind of protocol or interface is used to authenticate (via WebApp, IMAP, …)

Jul  4 03:26:18 server kopano-ical[599]: ECChannel::HrEnableTLS(): SSL_accept failed: 1
Jul  4 03:26:18 server kopano-ical[599]: Unable to negotiate SSL connection
Jul  4 03:26:23 server kopano-ical[599]: ECChannel::HrEnableTLS(): SSL_accept failed: 5
Jul  4 03:26:23 server kopano-ical[599]: Unable to negotiate SSL connection
Jul  4 03:26:24 server kopano-ical[599]: ECChannel::HrEnableTLS(): SSL_accept failed: 1
Jul  4 03:26:24 server kopano-ical[599]: Unable to negotiate SSL connection
Jul  4 03:26:25 server kopano-server[16106]: Authentication by plugin failed for user "admin": Trying to authenticate failed: admin not found in LDAP; username = admin
Jul  4 03:26:25 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "admin": logon failed
Jul  4 03:26:25 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:26 server kopano-server[16106]: Authentication by plugin failed for user "super": Trying to authenticate failed: super not found in LDAP; username = super
Jul  4 03:26:26 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "super": logon failed
Jul  4 03:26:26 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:30 server kopano-server[16106]: Authentication by plugin failed for user "admin": Trying to authenticate failed: admin not found in LDAP; username = admin
Jul  4 03:26:30 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "admin": logon failed
Jul  4 03:26:30 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:30 server kopano-server[16106]: Authentication by plugin failed for user "root": Trying to authenticate failed: root not found in LDAP; username = root
Jul  4 03:26:30 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "root": logon failed
Jul  4 03:26:30 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:32 server kopano-server[16106]: Authentication by plugin failed for user "root": Trying to authenticate failed: root not found in LDAP; username = root
Jul  4 03:26:32 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "root": logon failed
Jul  4 03:26:32 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:32 server kopano-server[16106]: Authentication by plugin failed for user "ktroot": Trying to authenticate failed: ktroot not found in LDAP; username = ktroot
Jul  4 03:26:32 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "ktroot": logon failed
Jul  4 03:26:32 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:32 server kopano-server[16106]: Authentication by plugin failed for user "ktuser": Trying to authenticate failed: ktuser not found in LDAP; username = ktuser
Jul  4 03:26:32 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "ktuser": logon failed
Jul  4 03:26:32 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:34 server kopano-server[16106]: Authentication by plugin failed for user "ktuser": Trying to authenticate failed: ktuser not found in LDAP; username = ktuser
Jul  4 03:26:34 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "ktuser": logon failed
Jul  4 03:26:34 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:34 server kopano-server[16106]: Authentication by plugin failed for user "ubnt": Trying to authenticate failed: ubnt not found in LDAP; username = ubnt
Jul  4 03:26:34 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "ubnt": logon failed
Jul  4 03:26:34 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:42 server kopano-server[16106]: Authentication by plugin failed for user "root": Trying to authenticate failed: root not found in LDAP; username = root
Jul  4 03:26:42 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "root": logon failed
Jul  4 03:26:42 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:42 server kopano-server[16106]: Authentication by plugin failed for user "admin": Trying to authenticate failed: admin not found in LDAP; username = admin
Jul  4 03:26:42 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "admin": logon failed
Jul  4 03:26:42 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:46 server kopano-server[16106]: Authentication by plugin failed for user "admin": Trying to authenticate failed: admin not found in LDAP; username = admin
Jul  4 03:26:46 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "admin": logon failed
Jul  4 03:26:46 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:48 server kopano-server[16106]: Authentication by plugin failed for user "admin": Trying to authenticate failed: admin not found in LDAP; username = admin
Jul  4 03:26:48 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "admin": logon failed
Jul  4 03:26:48 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:49 server kopano-server[16106]: Authentication by plugin failed for user "admin": Trying to authenticate failed: admin not found in LDAP; username = admin
Jul  4 03:26:49 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "admin": logon failed
Jul  4 03:26:49 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:49 server kopano-server[16106]: Authentication by plugin failed for user "admin": Trying to authenticate failed: admin not found in LDAP; username = admin
Jul  4 03:26:49 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "admin": logon failed
Jul  4 03:26:49 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:50 server kopano-server[16106]: Authentication by plugin failed for user "xj110": Trying to authenticate failed: xj110 not found in LDAP; username = xj110
Jul  4 03:26:50 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "xj110": logon failed
Jul  4 03:26:50 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  4 03:26:52 server kopano-server[16106]: Authentication by plugin failed for user "xj110": Trying to authenticate failed: xj110 not found in LDAP; username = xj110
Jul  4 03:26:52 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "xj110": logon failed
Jul  4 03:26:52 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request

fbartels · July 4, 2019, 1:07pm

Hi @FrankM,

This “plugin” term comes down to the internal architecture of Kopano. You can completely disregard this.

Giving the timing these two lines are directly related to each other. In the first line kopano-server logs that it received a login request and that it could not find the requested user. Then in the second line the service issuing/forwarding that login to kopano-server logs that it tried to login, but that the authentication failed.

You would need to raise the loglevel of kopano-ical to include the source ip of the request.

FrankM · July 4, 2019, 1:52pm

How can I do this, respectively which log level do I need?

https://github.com/Kopano-dev/kopano-core/blob/master/installer/linux/ical.cfg

# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
#log_level = 3

fbartels · July 4, 2019, 2:10pm

https://wiki.z-hub.io/display/K4U/Changing+configuration+options

The exact level I cannot tell you from the top of my head.

FrankM · July 5, 2019, 8:56am

Thank you for you help. I changed the log level to 6, as described in your linked article.
The log is more detailed, but all I get is:

Jul  5 10:07:23 server kopano-ical[599]: ECChannel::HrEnableTLS(): SSL_accept failed: 1
Jul  5 10:07:23 server kopano-ical[599]: Unable to negotiate SSL connection
Jul  5 10:07:25 server kopano-ical[599]: ECChannel::HrEnableTLS(): SSL_accept failed: 1
Jul  5 10:07:25 server kopano-ical[599]: Unable to negotiate SSL connection
Jul  5 10:07:27 server kopano-ical[599]: ECChannel::HrEnableTLS(): SSL_accept failed: 1
Jul  5 10:07:27 server kopano-ical[599]: Unable to negotiate SSL connection
Jul  5 10:07:30 server kopano-server[16106]: Accepted incoming connection from 127.0.0.1
Jul  5 10:07:30 server kopano-server[16106]: Authentication by plugin failed for user "admin": Trying to authenticate failed: admin not found in LDAP; username = admin
Jul  5 10:07:30 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "admin": logon failed
Jul  5 10:07:30 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  5 10:07:30 server kopano-server[16106]: Accepted incoming connection from 127.0.0.1
Jul  5 10:07:30 server kopano-server[16106]: Authentication by plugin failed for user "super": Trying to authenticate failed: super not found in LDAP; username = super
Jul  5 10:07:30 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "super": logon failed
Jul  5 10:07:30 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  5 10:07:31 server kopano-server[16106]: Accepted incoming connection from 127.0.0.1
Jul  5 10:07:31 server kopano-server[16106]: Authentication by plugin failed for user "admin": Trying to authenticate failed: admin not found in LDAP; username = admin
Jul  5 10:07:31 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "admin": logon failed
Jul  5 10:07:31 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  5 10:07:31 server kopano-server[16106]: Accepted incoming connection from 127.0.0.1
Jul  5 10:07:31 server kopano-server[16106]: Authentication by plugin failed for user "admin": Trying to authenticate failed: admin not found in LDAP; username = admin
Jul  5 10:07:31 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "admin": logon failed
Jul  5 10:07:31 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  5 10:07:32 server kopano-server[16106]: Accepted incoming connection from 127.0.0.1
Jul  5 10:07:32 server kopano-server[16106]: Authentication by plugin failed for user "root": Trying to authenticate failed: root not found in LDAP; username = root
Jul  5 10:07:32 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "root": logon failed
Jul  5 10:07:32 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  5 10:07:33 server kopano-server[16106]: Accepted incoming connection from 127.0.0.1
Jul  5 10:07:33 server kopano-server[16106]: Authentication by plugin failed for user "root": Trying to authenticate failed: root not found in LDAP; username = root
Jul  5 10:07:33 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "root": logon failed
Jul  5 10:07:33 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  5 10:07:33 server kopano-server[16106]: Accepted incoming connection from 127.0.0.1
Jul  5 10:07:33 server kopano-server[16106]: Authentication by plugin failed for user "ktroot": Trying to authenticate failed: ktroot not found in LDAP; username = ktroot
Jul  5 10:07:33 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "ktroot": logon failed
Jul  5 10:07:33 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  5 10:07:33 server kopano-server[16106]: Accepted incoming connection from 127.0.0.1
Jul  5 10:07:33 server kopano-server[16106]: Authentication by plugin failed for user "ktuser": Trying to authenticate failed: ktuser not found in LDAP; username = ktuser
Jul  5 10:07:33 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "ktuser": logon failed
Jul  5 10:07:33 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request
Jul  5 10:07:34 server kopano-server[16106]: Accepted incoming connection from 127.0.0.1
Jul  5 10:07:34 server kopano-server[16106]: Authentication by plugin failed for user "ktuser": Trying to authenticate failed: ktuser not found in LDAP; username = ktuser
Jul  5 10:07:34 server kopano-ical[599]: HrLogon server "http://localhost:236/" user "ktuser": logon failed
Jul  5 10:07:34 server kopano-ical[599]: Login failed (0x80040111 logon failed), resending authentication request

So it gets connected from the localhost. What does this mean? Do I have some malware which tries to connect, that would be odd, due to the infrequent access.

fbartels · July 5, 2019, 9:11am

the below log output does not look like you change the loglevel of kopano-ical, but more probably the loglevel of kopano-server.

This simply means that kopano-server gets a login request from kopano-ical. since kopano-ical is running on the same system it will be logged with localhost as the source ip. you need to check logging of kopano-ical as this is the service that the “user” tries to connect to.

FrankM · July 5, 2019, 9:37am

You are right. I’m sorry. I set it for ical now. I’ll report back.

Thank you for your help.