How to block a brute force attack?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
mrgreiner
Posts: 23
Joined: Sat Sep 13, 2014 2:56 am

How to block a brute force attack?

Postby mrgreiner » Tue Oct 13, 2015 6:43 am

Hi,



I have a ZCS, version 8.6 installed, running on Ubuntu 14.04.



I've enabled  zmauditswatch. Now, I'm seeing with some frequency (about once every 2 to 3 weeks) one random IP address making brute force attacks against most of our emails addresses. Example:


Account failure threshold exceeded: 208.105.66.150 pamela@<my-domain>
IP failure threshold exceeded: 208.105.66.150 exceeded threshold on failure for pamela@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 paula@<my-domain>
Account failure threshold exceeded: 208.105.66.150 paula@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 patricia@<my-domain>
Account failure threshold exceeded: 208.105.66.150 patricia@<my-domain>
IP failure threshold exceeded: 208.105.66.150 exceeded threshold on failure for patricia@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 rachel@<my-domain>
Account failure threshold exceeded: 208.105.66.150 rachel@<my-domain>
IP failure threshold exceeded: 208.105.66.150 exceeded threshold on failure for rosa@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 rosa@<my-domain>
Account failure threshold exceeded: 208.105.66.150 rosa@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 roberto@<my-domain>
Account failure threshold exceeded: 208.105.66.150 roberto@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 sandra@<my-domain>
Account failure threshold exceeded: 208.105.66.150 sandra@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 security@<my-domain>
Account failure threshold exceeded: 208.105.66.150 security@<my-domain>


This comes usually from one single address, during about 30-45 minutes. Is there a way to completely block one IP address that behaves like this?



Thanks,



Roberto



phoenix
Ambassador
Ambassador
Posts: 26699
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

How to block a brute force attack?

Postby phoenix » Tue Oct 13, 2015 9:10 am

Do you have a firewall and/or IDS in front of your ZCS server? Have you considered cbpolicyd?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 19 guests