Brute force attack & SPAM configuration

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
TitusI
Posts: 30
Joined: Fri Apr 15, 2016 2:54 pm
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201

Brute force attack & SPAM configuration

Postby TitusI » Fri Apr 15, 2016 3:31 pm

Hi, I'm new to Zimbra but I had to manage a group of server using:

Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
and
Release 8.0.5_GA_5839.RHEL6_64_20130910123908 RHEL6_64 FOSS edition.

I'm in trouble understandig the actual zimbra configuration (I found the server screaming under a landslade of SPAM and brute force...so...I'm in some troubled water :| ).

First problem: I see a lot of brute force attack using different user name against Server_public_ip:7071/service/admin/soap/ from...
Server_public_ip...

2016-04-15 16:56:10,611 WARN [qtp34688703-884:https://Server_public_ip:7071/service/admin/soap/] [name=user@domain.net;ip=Server_public_ip;] security - cmd=Auth; account=user@domain.net; protocol=soap; error=authentication failed for [mailbox63827@domain.net], invalid password;

access to Server_public_ip:7071/ is blocked from outside network

I've googled a lot and done this steps and restarted zimbra:

zmlocalconfig zimbra_http_originating_ip_header
zimbra_http_originating_ip_header = X-Forwarded-For

zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP Server_public_ip

Nothing changed :(.

I've searched a lot in bugzilla and zimbra forum it seems to be a old solved problem, I've made the suggested change but nothing happend.

Is this issue solved in some recent patch? Do you have some useful reference? Do you need other information?

Second: Is zimbra filtering spam?? I think the answer is NO, but I want to share my config on 8.6 machine:

#zmlocalconfig |grep -i spam
antispam_backup_retention = 0
antispam_enable_restarts = false
antispam_enable_rule_compilation = false
antispam_enable_rule_updates = false
antispam_mysql_data_directory = ${zimbra_home}/data/amavisd/mysql/data
antispam_mysql_directory = ${zimbra_home}/mta/mariadb
antispam_mysql_enabled = false
antispam_mysql_errlogfile = ${zimbra_home}/log/antispam-mysqld.log
antispam_mysql_host = 127.0.0.1
antispam_mysql_mycnf = ${zimbra_home}/conf/antispam-my.cnf
antispam_mysql_password = *
antispam_mysql_pidfile = ${zimbra_home}/data/amavisd/mysql/mysql.pid
antispam_mysql_port = 7308
antispam_mysql_root_password = *
antispam_mysql_socket = ${zimbra_home}/data/amavisd/mysql/mysql.sock
antispam_mysql_user = zimbra
zimbra_spam_report_queue_size = 100


/opt/zimbra/log/spamtrain.log is empty.
Zimbra is using Spammassasin or dspam?
antispam_mysql_enabled = false So zimbra is using a berkley db?

Using the zimbra administrator graphic interfece it seem all to be ok (antispam antivirus...)...but I don't belive it.

Any help is really appreciated. :D
Last edited by TitusI on Fri Apr 22, 2016 10:21 am, edited 1 time in total.


User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1666
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Re: Brute force attack

Postby quanah » Sat Apr 16, 2016 5:51 pm

When someone connects to postfix to auth, it generates a SOAP auth request. So what is likely happening is someone is trying to brute force against postfix. If you use something like fail2ban to block IP addresses slamming postfix, your SOAP calls should go away. I.e., you're attempting to tackle the wrong problem.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
TitusI
Posts: 30
Joined: Fri Apr 15, 2016 2:54 pm
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201

Re: Brute force attack

Postby TitusI » Sun Apr 17, 2016 9:32 am

I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.

How can I understand if my zimbra is using DSPAM or Spammassasin or all together? :?
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1666
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Re: Brute force attack

Postby quanah » Sun Apr 17, 2016 3:42 pm

TitusI wrote:I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.

How can I understand if my zimbra is using DSPAM or Spammassasin or all together? :?


Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.

I hope this explanation help.

Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
TitusI
Posts: 30
Joined: Fri Apr 15, 2016 2:54 pm
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201

Re: Brute force attack

Postby TitusI » Mon Apr 18, 2016 7:35 am

quanah wrote:
TitusI wrote:I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.

How can I understand if my zimbra is using DSPAM or Spammassasin or all together? :?


Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.

I hope this explanation help.

Regards,
Quanah


Yes, it help a lot understanding the problem, but I pass to file2ban audit.log in which the reported ip is the one for 7071...(my server public ip) not the client of connection on 465/578

2016-04-15 16:56:10,611 WARN [qtp34688703-884:https://Server_public_ip:7071/service/admin/soap/] [name=user@domain.net;ip=Server_public_ip;] security - cmd=Auth; account=user@domain.net; protocol=soap; error=authentication failed for [mailbox63827@domain.net], invalid password;

Where I had to look in my log there for connection on 465/578?

Thank you! :)
horiachirculescu
Posts: 4
Joined: Mon Apr 18, 2016 9:14 am

Re: Brute force attack

Postby horiachirculescu » Mon Apr 18, 2016 9:54 am

Hello.

You should check postfix's log files (usually /var/log/mail)
TitusI
Posts: 30
Joined: Fri Apr 15, 2016 2:54 pm
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201

Re: Brute force attack

Postby TitusI » Mon Apr 18, 2016 1:22 pm

Hi :)

horiachirculescu wrote:Hello.

You should check postfix's log files (usually /var/log/mail)


Thank you, I don't have var/log/mail I've /var/log/maillog. I use the standard zimbra log /opt/zimbra/audit.log mailbox.log and /var/log/zimbra.log

my fail2ban jail indicate for postfix:

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=mymail@me]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5

in zimbra.log i've a lot of hti->error='' for access to :7071/service/admin/soap/

:?
horiachirculescu
Posts: 4
Joined: Mon Apr 18, 2016 9:14 am

Re: Brute force attack

Postby horiachirculescu » Wed Apr 20, 2016 5:14 am

You should block the acces to the admin console port (specified by zimbraAdminBindAddress - default 7071) to permit access from only trusted networks. You can change the firewall rules on your security gateway or you can use a firewall on your mail server(s) (ex. iptables on linux boxes)
TitusI
Posts: 30
Joined: Fri Apr 15, 2016 2:54 pm
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201

Re: Brute force attack

Postby TitusI » Wed Apr 20, 2016 9:05 am

horiachirculescu wrote:You should block the acces to the admin console port (specified by zimbraAdminBindAddress - default 7071) to permit access from only trusted networks. You can change the firewall rules on your security gateway or you can use a firewall on your mail server(s) (ex. iptables on linux boxes)


Access to the admin port is allready locked.

My problem is my lack of knowledge on zimbra logic, I think that there is a logging problem (wrong host shown in audit.log) and two configuration problem, fail2ban is not working correctly and antispam is not working too (a lot of spam pass).

Any help in CHECK (i could be wrong) and solve this issue is appreciated. :)
TitusI
Posts: 30
Joined: Fri Apr 15, 2016 2:54 pm
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201

Re: Brute force attack

Postby TitusI » Fri Apr 22, 2016 10:25 am

quanah wrote:
TitusI wrote:I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.

How can I understand if my zimbra is using DSPAM or Spammassasin or all together? :?


Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.

I hope this explanation help.

Regards,
Quanah


Following your suggestion on other thread and reading the suggested resource I've mitigated the SPAM problem:

test:
zmlocalconfig antispam_enable_rule_updates
RES:antispam_enable_rule_updates = false
zmlocalconfig antispam_enable_restarts
RES:antispam_enable_restarts = false

Setting:
zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmlocalconfig -e antispam_enable_rule_compilation=true
zmamavisdctl restart
zmmtactl restart

But I would like to kno who is doing the job? DSPAM or Spammassassin?
ps aux|grep -i spam
gave 0 output

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 19 guests