Results 1 to 8 of 8

Thread: SOAP IP Security

  1. #1
    Join Date
    May 2007
    Location
    Turkey
    Posts
    43
    Rep Power
    8

    Default SOAP IP Security

    Hi,

    In audit.log I see entries like :

    security - cmd=Auth; account=<somebody@somewhere.com>; protocol=soap; error=authentication failed for <somebody@somewhere.com>, invalid password;

    These "invalid pass" tries make the account locked after 10 attemps. But these tries does not originate from the real user.

    When I examine audit.log for originating ip address, I see that the protocal is soap and the ip address is the mail server address itself. This is always the case in soap communication.

    So, if I cannot find the originating address for soap communcations, this is a true securtiy flaw in design IMHO.

    Is there a way to determine the originating address in soap communication ?

    Best Regards,

  2. #2
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by ghanedan View Post
    Hi,

    In audit.log I see entries like :

    security - cmd=Auth; account=<somebody@somewhere.com>; protocol=soap; error=authentication failed for <somebody@somewhere.com>, invalid password;

    These "invalid pass" tries make the account locked after 10 attemps. But these tries does not originate from the real user.

    When I examine audit.log for originating ip address, I see that the protocal is soap and the ip address is the mail server address itself. This is always the case in soap communication.

    So, if I cannot find the originating address for soap communcations, this is a true securtiy flaw in design IMHO.

    Is there a way to determine the originating address in soap communication ?

    Best Regards,
    We keep verbose logging in our hardware firewall turned on and the firewall does DNS lookups, so for situations like these we go to our firewall logs for the originating IP.

    We are currently experimenting with PSAD on SLES and trying to develop Snort rules which will track this kind of behavior and block the offending IP with iptables before the legitimate user gets locked out. Early days though...

    Hope that helps,
    Mark

  3. #3
    Join Date
    May 2007
    Location
    Turkey
    Posts
    43
    Rep Power
    8

    Default

    Quote Originally Posted by LMStone View Post
    We keep verbose logging in our hardware firewall turned on and the firewall does DNS lookups, so for situations like these we go to our firewall logs for the originating IP.

    Hope that helps,
    Mark
    I see. I will wait for the security improvements.

    BTW it is very cumbersome to match firewall logs to zimbra logs, becuase of different timestamp values and dmz&nat configurations.

    Best Regards,

  4. #4
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by ghanedan View Post
    I see. I will wait for the security improvements.

    BTW it is very cumbersome to match firewall logs to zimbra logs, becuase of different timestamp values and dmz&nat configurations.

    Best Regards,
    We don't have that problem...

    Our firewalls and our Zimbra servers have the same time stamps; both keep their clocks syncronized to the same public nameservers.

    Our firewalls do DNS lookups, so we get both the public FQDN as well as the public IP in the firewall logs. Zimbra's logs contain the same info too.

    So, easy for us to match.

    Hope that helps,
    Mark

  5. #5
    Join Date
    May 2007
    Location
    Turkey
    Posts
    43
    Rep Power
    8

    Default

    Quote Originally Posted by LMStone View Post
    Our firewalls and our Zimbra servers have the same time stamps; both keep their clocks syncronized to the same public nameservers.
    Of course if you don't have tens of other requests in a second to the firewall.

    I think a better option is to activate a secondary firewall on the zimbra machine itself.

    Best Wishes,

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    You could always use Welcome to the Home of OSSEC and its active response capability.

  7. #7
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    If of use this is my local_decoder.xml file for OSSEC
    Code:
    <!--
      Zimbra OSSEC
    -->
    
    <decoder name="zimbra">
      <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d+ WARN|INFO</prematch>
    </decoder>
    
    <decoder name="zimbra-preauth-failed">
      <parent>zimbra</parent>
      <prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+; error=authentication failed for \S+, preauth mismatch;$</prematch>
      <regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
      <order>user, srcip</order>
    </decoder>
    
    <decoder name="zimbra-preauth-passed">
      <parent>zimbra</parent>
      <prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+;$</prematch>
      <regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
      <order>user, srcip</order>
    </decoder>
    
    <decoder name="zimbra-unknown-account">
      <parent>zimbra</parent>
      <prematch offset="after_parent">account not found$</prematch>
      <regex>[oip=(\d+.\d+.\d+.\d+);\S+] SoapEngine - handler exception: authentication failed for (\S+),</regex>
      <order>srcip, user</order>
    </decoder>
    
    <decoder name="zimbra-invalid-password">
      <parent>zimbra</parent>
      <prematch offset="after_parent">invalid password$</prematch>
      <regex>[name=(\S+);oip=(\d+.\d+.\d+.\d+);\S+]</regex>
      <order>user, srcip</order>
    </decoder>

  8. #8
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by ghanedan View Post
    Of course if you don't have tens of other requests in a second to the firewall.

    I think a better option is to activate a secondary firewall on the zimbra machine itself.

    Best Wishes,
    It's not unusual for us to see 10 or 20 Mbps sustained traffic on our firewall. The firewall console enables us to filter the logs there, and on Zimbra "grep" is one of our best friends. :-)

    Honestly, coordinating output from the two logs hasn't been an issue for us.

    And sure you can run iptables on the Zimbra server, and then you can deploy something like OSSEC, or PSAD and fwsnort to do active IPS too if you want.

    Hope that helps,
    Mark

Similar Threads

  1. Replies: 30
    Last Post: 04-05-2011, 01:03 AM
  2. Can recives but can't send mail outgoing
    By hoangkk in forum Installation
    Replies: 9
    Last Post: 09-21-2009, 07:35 PM
  3. [SOLVED] Adding XP PCs to a samba domain...
    By NoDoze in forum Administrators
    Replies: 43
    Last Post: 08-13-2009, 04:22 PM
  4. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  5. zmzimletctl deploy zimbra_posixaccount.zip - ERROR -
    By todd_dsm in forum Administrators
    Replies: 0
    Last Post: 04-02-2009, 01:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •