Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Account Lockout: How to find IP address of soap - AuthRequest

  1. #1
    Join Date
    Apr 2008
    Posts
    5
    Rep Power
    7

    Default Account Lockout: How to find IP address of soap - AuthRequest

    When I have an account that is being password hacked, it goes into lockout as expected and I can get the IP address of the hacker if it is a pop or imap request; however, if the hacker is using a soap request (web interface or zimbra web client or desktop), the IP address logged in audit.log and mailbox.log is the address of the zimbra server, not the user.

    How do I get the source IP address so I can block it in my firewall?

    Thanks,
    Scott Hardin

    =============================================

    From audit.log:
    2008-08-13 07:01:47,930 WARN [btpool0-7] [ip=10.10.1.2;] security - cmd=Auth; account=admin@domainname.com; protocol=soap; error=authentication failed for admin, account lockout;

    From mailbox.log:
    2008-08-13 07:01:47,825 INFO [btpool0-7] [ip=10.10.1.2;] soap - AuthRequest
    2008-08-13 07:01:47,930 INFO [btpool0-7] [ip=10.10.1.2;] SoapEngine - handler exception: authentication failed for admin, account lockout

    Version: Release 5.0.7_GA_2444.UBUNTU6 UBUNTU6 FOSS edition

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    As far as I'm aware, that's the IP of the source of the login attempt. You can confirm that by logging in as the Admin from another LAN IP. Do you actually have port 7071 open to the outside world? Do you see any attempts from outside to login as the admin?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Apr 2008
    Posts
    5
    Rep Power
    7

    Default

    7071 is not open to the outside. The attempts are targeting an e-mail address that is not zimbra admin. I had several thousand attempts over 30 minutes, so this is an automated attack.

    I have a stateful firewall in front of this box. The only ports I have open are:

    * 25 and 587 for SMTP (587 is forwared to 25)
    * 143 and 993 for IMAP
    * 110 and 995 for POP
    * 80 and 443 for HTTP

    I tried using the web UI and Zimbra Desktop and they both provide the correct source IP and ua=zclient or ua=Yahoo! Zimbra Desktop. When I log in as a zimbra admin the ua=ZimbraWebClient. Evidently there is a scenario when the ip is recorded as the ip of the box and the ua does not get logged for soap requests.

    Under what scenario is the IP address set as the local server address and the ua not recorded in the log for soap requests? Is the ua set by the client for a soap authentication request?

    Thanks for your help.

    ==================================

    Zimbra Mail Login: 2008-08-13 20:07:29,806 WARN [btpool0-10] [oip=65.12.278.236;ua=zclient/5.0.7_GA_2444.UBUNTU6;] security - cmd=Auth; account=xyz@mydomain.com; protocol=soap; error=authentication failed for xyz, account lockout;

    Zimbra Admin Login: 2008-08-13 20:07:07,776 WARN [btpool0-9] [ip=65.12.278.236;ua=ZimbraWebClient - FF3.0 (Win);] security - cmd=Auth; account=abc@xxx.mydomain.com; protocol=soap; error=authentication failed for admin@xxx.mydomain.com, invalid password;

    Zimbra Desktop Login: 2008-08-13 19:54:36,878 WARN [btpool0-9] [ip=65.12.278.236;ua=Yahoo! Zimbra Desktop/0.90_1251_Windows;] security - cmd=Auth; account=xyz@mydomain.com; protocol=soap; error=authentication failed for xyz@mydomain.com, account lockout;

    Hack Request: 2008-08-13 06:57:57,655 INFO [btpool0-0] [ip=10.10.1.2;] security - cmd=Auth; account=xyz@mydomain.com; error=account lockout due to too many failed logins;
    2008-08-13 06:58:03,725 WARN [btpool0-7] [ip=10.10.1.2;] security - cmd=Auth; account=xyz@mydomain.com; protocol=soap; error=authentication failed for admin, account lockout;

  4. #4
    Join Date
    Apr 2008
    Posts
    5
    Rep Power
    7

    Default

    I looked at your SOAP docs here and it looks like the ua (userAgent) is set in the SOAP header so that explains a blank ua. Also, the" Proxy Mechanism" here looks like it could be abused for hacking. I hope this helps. Is there any way to tighten this up?

  5. #5
    Join Date
    Apr 2008
    Posts
    5
    Rep Power
    7

    Default

    After further review, I noticed that the userAgent (ua) is set by the SOAP client which may explain the blank ua= field. How could the IP address be set to the servers IP address instead of the client's IP address. I am concerned the <targetServer> Proxy Mechanism for authentication requests is a potential vulnerability. Any ideas?

  6. #6
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    You should be able to find the actual source IP in /opt/zimbra/jetty/logs/access_log.*

    When you use the HTML client, the server talks to itself... though I'd expect the IP address to be 127.0.0.1, not the server's public IP. ZCS 5.0.5 or so fixed the logs to include the original rather than proxied IP, so if you're running a recent version, I don't know what the deal is.

    You're sure you don't have some forgotten cron job on the local box?

  7. #7
    Join Date
    Apr 2008
    Posts
    5
    Rep Power
    7

    Default

    I don't have any cron jobs running that generate autentication requests.

    I've found when the Zimbra web client is authenticated, the IP of the browser is logged not the IP of the server (for example, 2008-08-13 20:07:29,806 WARN [btpool0-10] [oip=65.12.278.236;ua=zclient/5.0.7_GA_2444.UBUNTU6;] security - cmd=Auth; account=xyz@mydomain.com; protocol=soap; error=authentication failed for xyz, account lockout

    Here's a small subsection of the /opt/zimbra/jetty/logs during the attack:
    10.10.1.2 - - [13/Aug/2008:06:56:56 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:57:04 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:57:14 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:57:19 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:57:26 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:57:34 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:57:42 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:57:49 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:57:57 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:58:03 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:58:13 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:58:18 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:58:26 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    10.10.1.2 - - [13/Aug/2008:06:58:34 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
    Last edited by spikehardin; 08-14-2008 at 10:56 AM. Reason: clarity

  8. #8
    Join Date
    Aug 2007
    Posts
    23
    Rep Power
    8

    Default

    I can confirm that the behavior is still the same in 5.0.9NE: The actual source IP cannot be found either in audit.log or /opt/zimbra/jetty/logs. Is there any way to find out the attackers IP?

  9. #9
    Join Date
    May 2009
    Posts
    16
    Rep Power
    6

    Default Any updates?

    I am running into the same thing, with someone trying to log in to my admin accounts. The only IP I can find in the audit.log and access.log is the Zimbra server's local ip.

  10. #10
    Join Date
    Jan 2008
    Location
    Villa Park, IL
    Posts
    92
    Rep Power
    7

    Default

    Has anyone figured this out yet? Seems someone is robotically attacking my server now. The audit log shows only local IP addresses. The Zimbra.Log file shows Pop3/IMAP/SMTP attempts, but not SOAP.

    At least once a day for the past few days, my admin account gets blocked and I can't seem to figure out where it is coming from.

Similar Threads

  1. zmclamdctl is not running after upgrade
    By Darren in forum Installation
    Replies: 24
    Last Post: 10-10-2008, 10:10 AM
  2. SOAP AuthRequest Question
    By ab5602 in forum Developers
    Replies: 3
    Last Post: 08-06-2008, 09:55 PM
  3. I got Ubuntu and Zimbra working
    By pacsteel in forum Installation
    Replies: 73
    Last Post: 06-23-2008, 12:41 PM
  4. Replies: 4
    Last Post: 04-01-2008, 12:35 AM
  5. Replies: 8
    Last Post: 04-21-2007, 11:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •