Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Identify compromised accounts

  1. #11
    Join Date
    Dec 2005
    Posts
    31
    Rep Power
    9

    Default So what to do if auth is "held"

    Just got hosed by this exact situation today, and my booby-trap didn't catch it. Will take a look-see at the sasl_username and see if that proves more effective. If you have any code for this I'd sure love to see this.

    Quote Originally Posted by drwho18 View Post
    The script posted above is a good idea, however it doesn't really stop an in process attack (at least on my Zimbra setup). It checks for "auth ok" of which I tend to see a few, the spammer appears to hold smtp open and I see each send tagged with a "sasl_username" in the logs, checking the message ID out I see it was a new message with fresh recipients. I have modded the script to check for sasl_username, as I think that is more relevant to trip off a spam notice, however locking the account does not stop said account from continuing to spam through the server. If it tries to come in from a new IP it will try to reauth and fail fine, but I believe it will continue to function untl the SMTP session is stopped, by which time a lot of damage can be done to a mail servers reputation. Any ideas how to stop this, or reduce the max SMTP session time or something would be the way to go. I wish every sasl_username request was an actual auth attemp, maybe saslauthd is caching by default on zimbra?

  2. #12
    Join Date
    Dec 2005
    Posts
    31
    Rep Power
    9

    Default

    I ended up with something very similar (in the grep/sed/awk commands)... added a logrotation at the end, so that th euser's account can get unlocked once appropriate measures are taken (strung up by thumbs, teaching moment exploited, password changed, etc)


    #!/bin/bash
    # checks log file and gets a count of authentications sent per minute, per user
    # and if the count exceeds the maxmails value the user's account is locked.

    logfile="/var/log/zimbra.log"
    maxmails="10"
    mydomain="example.com"
    support="techsupport@$mydomain"
    accounts="/tmp/active_accounts"
    logrotate_conf="/etc/logrotate.d/zimbra"
    rotate="0"
    touch $accounts

    su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts

    #zgrep -i "auth ok" $logfile | sed 's/ / /g' | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -n | \
    #zgrep -i "auth ok" $logfile | sed 's/@example.com//g' | sed 's/ / /g' | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -n | \
    zgrep -i "sasl_username" $logfile | sed 's/@example.com//g' |sed 's/ / /g' | awk -F"[ :]" '{print $3":"$4,$13;}' | sed 's/sasl_username=//g' | uniq -c | sort -n | \
    while read line
    do
    count=`echo ${line} | cut -d' ' -f 1`
    userid=`echo ${line} | cut -d' ' -f 3`
    timestamp=`echo ${line} | cut -d' ' -f 2`
    active=`grep "$userid@$mydomain" $accounts`

    if [ "$count" -gt "$maxmails" ] && [ "$active" == "$userid@$mydomain" ]; then
    echo "Maximum email rate exceeded, $userid@$mydomain will be locked"
    su zimbra -c "/opt/zimbra/bin/zmprov ma $userid@$mydomain zimbraAccountStatus locked"
    subject="$userid account locked due to excessive connections"
    # Email text/message
    message="/tmp/emailmessage.txt"
    echo "$userid account has been locked as there were $count connections made at"> $message
    echo "$timestamp. Please have the user change their password, and check for phishing" >>$message
    echo "emails if possible." >>$message
    # send an email using /bin/mail
    /usr/bin/mail -s "$subject" "$support" < $message
    rm -f $message

    # set flag to rotate logs so that after mitigation the account does not automatically re-lock
    rotate="1"


    #update list of active accounts
    su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
    fi
    done

    if [ $rotate -eq "1" ]; then
    #rotate the logs
    logrotate -f $logrotate_conf
    fi


    rm -f $accounts

  3. #13
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    You have to restart postfix for this to be effective, unfortunately. :/ As I noted previously, they are using a permanent smtp connection, there are not actually additional sasl_auth's occurring, that's an artifact of postfix logging. The only way to close out the connection is to restart postfix.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  4. #14
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    Also, I'd write my own script to get the accounts via ldap, that just pulls active accounts.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  5. #15
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    Quanah, does the same "caching/closing connection issue" exist when a password is changed?

  6. #16
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    There is no "caching" issue. Persistent connections are part of the SMTP specifications, and not interrupting established connections arbitrarily is also part of the SMTP specifications. The only way to force close an established connection is to restart postfix. I already had a bit of a discussion about this with Wietse.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  7. #17
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    OK, got it...
    As long as the spammer is connected, we're doomed. And we need to restart postfix.

  8. #18
    Join Date
    Mar 2013
    Posts
    11
    Rep Power
    2

    Default

    If they used auth token, need to check which token is sending email and after that figure out, which user was used to create this token.

Similar Threads

  1. compromised accounts issue
    By padraig in forum Administrators
    Replies: 4
    Last Post: 08-06-2013, 06:59 PM
  2. Accounts compromised - changed forwarding
    By blueflametuna in forum Administrators
    Replies: 10
    Last Post: 02-08-2011, 02:21 PM
  3. Identify Which ZDB for Each User?
    By Chewie71 in forum Zimbra Connector for BlackBerry
    Replies: 2
    Last Post: 05-04-2009, 01:38 PM
  4. Help with compromised accounts
    By Userx in forum Zimbra in Education
    Replies: 10
    Last Post: 05-03-2009, 01:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •