L
LLDAP4w ago
Pizmovc

Pizmovc - Hi, quick question, in my lldap logs ...

Hi, quick question, in my lldap logs I keep seeing Login attempt for "admin" 24/7, like all the time 😅 Is it just how LDAP works or is it some brute-force attack against my server that has been going for for months now 😰 Here is an example (and these are not even all requests for login for admin in this second). 
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:24.918622810+00:00  INFO     LDAP request [ 102ms | 100.00% ] session_id: 4026c56a>
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:24.919170504+00:00  INFO     ┕━ i [info]: Login attempt for "admin"
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.022399957+00:00  INFO     LDAP request [ 1.12ms | 100.00% ] session_id: 4026c56>
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.024430048+00:00  INFO     i [info]: LDAP session end: 4026c56a-f260-4e0d-af03->
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.044638621+00:00  INFO     i [info]: LDAP session start: 10c52a8d-1f8a-4ba2-b72>
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.045095012+00:00  INFO     LDAP request [ 104ms | 100.00% ] session_id: 10c52a8d>
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.046514465+00:00  INFO     ┕━ i [info]: Login attempt for "admin"
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.150205959+00:00  INFO     LDAP request [ 911µs | 100.00% ] session_id: 10c52a8d>
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.152408718+00:00  INFO     i [info]: LDAP session end: 10c52a8d-1f8a-4ba2-b723->
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:24.918622810+00:00  INFO     LDAP request [ 102ms | 100.00% ] session_id: 4026c56a>
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:24.919170504+00:00  INFO     ┕━ i [info]: Login attempt for "admin"
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.022399957+00:00  INFO     LDAP request [ 1.12ms | 100.00% ] session_id: 4026c56>
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.024430048+00:00  INFO     i [info]: LDAP session end: 4026c56a-f260-4e0d-af03->
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.044638621+00:00  INFO     i [info]: LDAP session start: 10c52a8d-1f8a-4ba2-b72>
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.045095012+00:00  INFO     LDAP request [ 104ms | 100.00% ] session_id: 10c52a8d>
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.046514465+00:00  INFO     ┕━ i [info]: Login attempt for "admin"
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.150205959+00:00  INFO     LDAP request [ 911µs | 100.00% ] session_id: 10c52a8d>
Jul 30 05:36:25 brutus lldap[5734]: 2025-07-30T03:36:25.152408718+00:00  INFO     i [info]: LDAP session end: 10c52a8d-1f8a-4ba2-b723->
Any ideas?
Solution:
I think that's either a brute force attack or a misconfigured integration that retries automatically without cooldown
Jump to solution
4 Replies
Solution
nitnelave
nitnelave4w ago
I think that's either a brute force attack or a misconfigured integration that retries automatically without cooldown
nitnelave
nitnelave4w ago
Maybe you can check where the traffic on this port is coming from, whether it's your machine or not You can also configure your containers so that the LDAP port is not exposed to the broader web and is only reachable by other containers
Pizmovc
PizmovcOP4w ago
Ok great, thanks for confirming, its most likely a misconfiguration them. I'll investigate. Thanks again for the response and for writing such great software! I haven't encountered any issues/bugs with it, and I've been running it for years ❤️ love it!
Pizmovc
PizmovcOP4w ago
To give a bit of closure here, I've triple checked that lldap is not exposed anywhere, so I've ruled out brute-force attack. It turns out that the admin login is actually Authelia. I've created a separate user for Authelia, so it shows up correctly now. As for the frequency, I have a lot of services running and now that I've quieted down the worst offenders (Nextcloud clients) its much better.

Did you find this page helpful?