Search found 10 matches

by gaelroma
Wed Oct 17, 2018 7:20 pm
Forum: Administrators
Topic: reveal IP connection source from bruteforce authentication attempt
Replies: 13
Views: 2036

Re: reveal IP connection source from bruteforce authentication attempt

I managed to print real IP disabling Outbound NAT rule generation in pfsense.

Thank you guys!
by gaelroma
Tue Oct 16, 2018 9:22 am
Forum: Administrators
Topic: reveal IP connection source from bruteforce authentication attempt
Replies: 13
Views: 2036

Re: reveal IP connection source from bruteforce authentication attempt

Yes I need it , because all machines are virtualized. I have two public IPs one for the web server and one for the mail server. the third public IP is for the firewall... resuming the NAT configuration: I access to the firewall with a public IP, then there are 2 rules (NAT 1:1) External IP Internal ...
by gaelroma
Mon Oct 15, 2018 7:20 pm
Forum: Administrators
Topic: reveal IP connection source from bruteforce authentication attempt
Replies: 13
Views: 2036

Re: reveal IP connection source from bruteforce authentication attempt

Hey Lance, I did what you suggested.. rebooted both machines but nothing changed, i have always the firewall IP in the logs... I can see in pfsense this weird stuff in logs. Time IF Source Destination Oct 15 21:18 WAN [fe80::6eb2:aeff:fe01:8841] [ff02::66]:2029
by gaelroma
Mon Oct 15, 2018 7:32 am
Forum: Administrators
Topic: reveal IP connection source from bruteforce authentication attempt
Replies: 13
Views: 2036

Re: reveal IP connection source from bruteforce authentication attempt

Hi Lance,

ehm... it' empty, no rules in Port Fowarding.

The firewall rules are the following:
Reject everything execpt
80 (HTTP)
443 (HTTPS)
143 (IMAP)
993 (IMAP/S)
110 (POP3)
995 (POP3/S)
25 (SMTP)
465 (SMTP/S)
587 (SUBMISSION)
by gaelroma
Sun Oct 14, 2018 6:58 pm
Forum: Administrators
Topic: reveal IP connection source from bruteforce authentication attempt
Replies: 13
Views: 2036

Re: reveal IP connection source from bruteforce authentication attempt

I know that fail2ban should fix this issue. In fact I need to reveal which IP is doing the bruteforce and ban it. Unfortunately the Zimbra log and mail log doesn't give me this information, and fail2ban rely on it. Maybe could be a DNS configuration. But in order to work behind a firewall Zimbra mus...
by gaelroma
Sun Oct 14, 2018 5:12 pm
Forum: Administrators
Topic: reveal IP connection source from bruteforce authentication attempt
Replies: 13
Views: 2036

Re: reveal IP connection source from bruteforce authentication attempt

Hi Mark, thank you for your reply. The zimbra version is 8.6. I am not running on proxy. The mail server is behind a firewall The firewall is a PFsense machine x.x.x.1 Zimbra is on another machine x.x.x.12 On PFsense there is a NAT 1:1 to translate te public IP to the zimbra server. I added the loca...
by gaelroma
Sat Oct 13, 2018 3:15 pm
Forum: Administrators
Topic: reveal IP connection source from bruteforce authentication attempt
Replies: 13
Views: 2036

reveal IP connection source from bruteforce authentication attempt

Hello I have Zimbra behind pfsense and the public IP is Natted to the the internal IP. SplitDNS is set as well. So the firewall is on 172.0.1.1 and the mail server on the same LAN. I see a lot of authentication failure in the zimbra log and it says that the connection comes from ... the firewall... ...
by gaelroma
Tue Oct 02, 2018 7:23 pm
Forum: Administrators
Topic: zimbra server is sending email without my authorization.
Replies: 4
Views: 631

continuing intrusion attempt

Hello there, on my zimbra log I see every 5 second an intrusion attempt Oct 2 21:18:07 mail saslauthd[3839]: zmauth: authenticating against elected url 'https://mail.mydomain.xxx:7071/service/admin/soap/' ... Oct 2 21:18:07 mail saslauthd[3839]: zmpost: url='https://mail.mydomain.xxx:7071/service/ad...
by gaelroma
Thu Sep 27, 2018 5:42 pm
Forum: Administrators
Topic: zimbra server is sending email without my authorization.
Replies: 4
Views: 631

Re: zimbra server is sending email without my authorization.

Thank for the reply.

i don't think is a phishing because no one got email, in fact the first thing i did was change the password of all account.

Now i create a policy to restrict only domain of the server to send email, but i am going to delete the account info
by gaelroma
Thu Sep 27, 2018 11:06 am
Forum: Administrators
Topic: zimbra server is sending email without my authorization.
Replies: 4
Views: 631

zimbra server is sending email without my authorization.

Hello there, i Have a zimbra server 8.0.6. The info@ accout is receiving continuos email like this: Undelivered Mail Returned to Sender This is the mail system at host mail.mydomain.xxx I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached ...

Go to advanced search