Results 1 to 9 of 9

Thread: Attacks through webmail interface

Hybrid View

  1. #1
    Join Date
    Mar 2008
    Location
    Canada
    Posts
    148
    Rep Power
    7

    Default Attacks through webmail interface

    Greetings,

    I've been having problems where someone is targeting key user accounts including my own. I've been trying to track down the offending IP's using audit.log and zmauditswatchctl but I'm not having any luck. What I keep getting are reports that my own server is trying to hack my account. (account/domain/ip changed for this posting):

    2013-04-30 00:20:58,167 WARN [btpool0-2199://mydomain.com:7071/service/admin/soap/] [name=systems.manager@mydomain.com;ip=192.168.20.9;] security - cmd=Auth; account=systems.manager@mydomain.com; protocol=soap; error=authentication failed for [systems.manager@mydomain.com], invalid password;

    I have to assume this means that the attacker is using the web interface to try and log into the account. Zimbra's account lockout function seems to be working fine but unfortunately when an account is locked out that means my phone, my tablet, my laptop and my PC also cannot access my mail until the lockout has ended.

    How can we get the actual IP of the attacker to be reported instead of the server's own IP?

    Thanks!

  2. #2
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    7

    Default

    Quote Originally Posted by rotorboy View Post
    2013-04-30 00:20:58,167 WARN [btpool0-2199://mydomain.com:7071/service/admin/soap/] [name=systems.manager@mydomain.com;ip=192.168.20.9;] security - cmd=Auth; account=systems.manager@mydomain.com; protocol=soap; error=authentication failed for [systems.manager@mydomain.com], invalid password;
    Port 7071 is not WebMail - It is the admin tool. Also note the path (/service/admin/soap/) is to the admin tool. You should not have the admin tool available to the outside world.

    soap authentication requests from Webmail will come in to path (/service/soap) and will not be on port 7071.

  3. #3
    Join Date
    Mar 2008
    Location
    Canada
    Posts
    148
    Rep Power
    7

    Default

    If I block the admin port from outside use, domain administrators will have no access to update or manage their users.
    All I need is to figure out what IP's are hitting the admin and/or webmail interface to try and hack my account so I can setup a blocking mechanism.

  4. #4
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    476
    Rep Power
    4

    Default

    Quote Originally Posted by rotorboy View Post
    If I block the admin port from outside use, domain administrators will have no access to update or manage their users.
    All I need is to figure out what IP's are hitting the admin and/or webmail interface to try and hack my account so I can setup a blocking mechanism.
    rotorboy,just do the reverse.

    Allow known IP's from your administrators to 7071 port and block any other.

    After that, you have to use a VPN to allow them.

    ccelis

  5. #5
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    It's not unusual for hacks aimed at the admin account that will ultimately lock the account. I have created an account with an unusual name that has admin rights that I only use when my admin is locked out. Since the e-mail account is not used it has never been the subject of an attempted hack and provides my access in case of emergency. I doubt it is the same IP trying to hack your admin account every time. You would need to firewall an extraordinary number of IP's and then a new one out of the blue would try.

    Just make sure your passwords are strong and you have the lock out policy enforced.

  6. #6
    Join Date
    Mar 2008
    Location
    Canada
    Posts
    148
    Rep Power
    7

    Default

    Thanks for the responses. Unfortunately using a VPN system is impractical for the setup. I do have a separate login for the primary admin user so I suppose I could remove administrator privileges from the affected accounts.

    At this point I would rather understand the attack and where it's coming from. I find it hard to believe there's no way to compare the IP successfully logged in webmail or admin users against a lot of IP's that failed to log into webmail or admin. IP's that have at some point been successful can be allowed while IP's that have never succeeded and only failed can be blocked at the firewall. This works well in other environments, requires little maintenance, and minimal tech support to manage.

    So to change the question - how can I get a log of successful and failed IP's visiting the webmail and admin interfaces? I'm searching through the logs and I can't seem to find this information.

Similar Threads

  1. Replies: 4
    Last Post: 01-17-2013, 10:34 PM
  2. captcha support for webmail interface?
    By tiger2000 in forum Administrators
    Replies: 5
    Last Post: 06-24-2010, 02:37 AM
  3. How to Install Cert for Domain for Webmail Interface
    By the_griz in forum Administrators
    Replies: 0
    Last Post: 09-29-2008, 04:45 PM
  4. Timeout errors in webmail interface
    By russgalleywood in forum Installation
    Replies: 39
    Last Post: 07-01-2008, 07:55 AM
  5. webmail interface niggles
    By dijichi2 in forum Users
    Replies: 3
    Last Post: 12-12-2005, 06:19 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •