Results 1 to 6 of 6

Thread: honey auth failed: authentication failed for honey

  1. #1
    Join Date
    Apr 2009
    Posts
    13
    Rep Power
    6

    Default honey auth failed: authentication failed for honey

    Hi,

    since this morning, I am getting swamped by the following log entries:

    Code:
    Mar 30 08:57:28 zimbra saslauthd[31669]: zmauth: authenticating against elected url 'https://zimbra.fteu.lan:7071/service/admin/soap/' ...
    Mar 30 08:57:28 zimbra saslauthd[31669]: zmpost: url='https://zimbra.fteu.lan:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for honey</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException: authentication failed for honey ExceptionId:btpool0-118://zimbra.fteu.lan:7071/service/admin/soap/:1301468248318:c8e22a553fa44c2f Code:account.AUTH_FAILED ^Iat com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException.AUTH_FAILED(AccountServiceException.java:131) ^Iat com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException.AUTH_FAILED(AccountServiceException.java:127) ^Iat com.zimbra.cs.service.account.Auth.handle(Auth.java:10
    Mar 30 08:57:28 zimbra saslauthd[31669]: auth_zimbra: honey auth failed: authentication failed for honey
    Mar 30 08:57:28 zimbra saslauthd[31669]: do_auth         : auth failure: [user=honey] [service=smtp] [realm=] [mech=zimbra] [reason=Unknown]
    Mar 30 08:57:28 zimbra postfix/smtpd[29800]: warning: unknown[187.37.60.124]: SASL LOGIN authentication failed: authentication failure
    These messages repeat without end. The IP stated in the last line resolves to a brazilian dialup host name, so this is very likey a spamming host. But I wonder what is happening there... Our Zimbra host is behind a NAT, only the SMTP(S), IMAP(S) and HTTPS ports are forwarded. I don't know how this can have something to do with the port at which the admin interface is running...

    Maybe someone else has an idea

  2. #2
    Join Date
    Feb 2011
    Posts
    82
    Rep Power
    4

    Default

    Someone is trying to brute force your zimbra admin password through the soap interface. Try change the default 7071 to something else for admin console, or remove the port forwarding for 7071 in your nat router.

  3. #3
    Join Date
    Apr 2009
    Posts
    13
    Rep Power
    6

    Default

    Hi,

    I do not have the port forwarded. That's why I'm wondering how this can happen.

    For the time being, I have blocked the malicious IP with iptables.

  4. #4
    Join Date
    Feb 2011
    Posts
    82
    Rep Power
    4

    Default

    The soap interface is also available on the web GUI port.

  5. #5
    Join Date
    Oct 2009
    Posts
    12
    Rep Power
    6

    Default

    Hi Guys. I'm getting this same issue. My concern is whether this is a vulnerability in the zimbra system and what's the potential threat. Can someone from zimbra comment on this?

  6. #6
    Join Date
    May 2010
    Posts
    34
    Rep Power
    5

    Default

    Pascal,
    Did you ever figure out what's going on here? We're experiencing the same issue with one of our users. Their calendar appear to stop syncing via CalDAV (iCAL) at the same time.

Similar Threads

  1. Replies: 7
    Last Post: 02-13-2013, 01:36 AM
  2. Replies: 6
    Last Post: 12-09-2010, 08:19 AM
  3. Install Zimbra 6.0.8 x64 on Debian Lenny Fail
    By Titi974 in forum Installation
    Replies: 6
    Last Post: 10-21-2010, 05:47 AM
  4. Problem with Mail Server - Need help!
    By joeleo in forum Installation
    Replies: 2
    Last Post: 03-04-2008, 11:03 AM
  5. My Zimbra server down ... please help :)
    By frankb in forum Administrators
    Replies: 2
    Last Post: 12-12-2007, 10:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •