Brute force attack & SPAM configuration

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1666
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Re: Brute force attack

Postby quanah » Sat Apr 23, 2016 10:21 pm

TitusI wrote:
quanah wrote:
TitusI wrote:I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.

How can I understand if my zimbra is using DSPAM or Spammassasin or all together? :?


Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.

I hope this explanation help.

Regards,
Quanah


Following your suggestion on other thread and reading the suggested resource I've mitigated the SPAM problem:

test:
zmlocalconfig antispam_enable_rule_updates
RES:antispam_enable_rule_updates = false
zmlocalconfig antispam_enable_restarts
RES:antispam_enable_restarts = false

Setting:
zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmlocalconfig -e antispam_enable_rule_compilation=true
zmamavisdctl restart
zmmtactl restart

But I would like to kno who is doing the job? DSPAM or Spammassassin?
ps aux|grep -i spam
gave 0 output


Amavis does. I suggest you read up on https://wiki.zimbra.com/wiki/Anti-spam_Strategies. However, none of this applies to the case of someone who has hacked one of your users and is using your server to send out spam. For that, you need to monitor the postfix logs in /var/log/zimbra.log and find the spammer and the user they've hacked, and then fix things from there.


--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
TitusI
Posts: 30
Joined: Fri Apr 15, 2016 2:54 pm
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201

Re: Brute force attack & SPAM configuration

Postby TitusI » Fri Jun 24, 2016 9:47 am

I'm still not cpable to kno the Ip of the attacker...in log I only see my own server IP.

qtp509886383-501971:https://my.server.wan.ip:7071/service/admin/soap/]

If I activete the admin login it suddenly go lockout again due to a lot of failed access...from WHO?
On another server, they do the same job,and now the service for the web admin console

zimbra webapp Running
zimbraAdmin webapp Running
zimlet webapp Running

doesent start ang give me a 404.
If I give a zmcontrol restart nothing change, there are no stale pid (as far as I can see) how can I start them one by one?
rojoblandino
Posts: 36
Joined: Sat Sep 13, 2014 1:36 am

Re: Brute force attack & SPAM configuration

Postby rojoblandino » Mon Oct 01, 2018 5:29 am

Fail2ban does not work, i am recieving more than a million of ip trying to auth to my accounts each time from several ip so if i block them it does nothing next time the attempt comes from another ip.

Do you know any other move to avoid this kind of attacks?

Many of my accounts are being autolock and it does not work changing the pass, it get lock or steal by the spammer attacker. The pass are not easy and nor random, they are big phrases and out of dictionary data.

Any recomendation? fail2ban is good for simples attacks from same ip, but when the attacker has more than a million of ip? What kind of step can be implemented in this situation?
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 684
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: Brute force attack & SPAM configuration

Postby pup_seba » Mon Oct 01, 2018 1:34 pm

Your problem seems a little weird. More precisely this:
"Many of my accounts are being autolock and it does not work changing the pass, it get lock or steal by the spammer attacker. The pass are not easy and nor random, they are big phrases and out of dictionary data."

If this is the case, attackers are limited to 10 attempts each ten minutes and if they lockdown the account they will have a 1hr time to cool off their attack (in default configuration), which makes really difficult for an attacker to "brute force" a password like the one you are describing. Could it be that their computers are infected with a keylogger or similar? Could it be that you are using an external LDAP for authentication with "fail to local auth" option enabled? and thus changing the user password in the external ldap but not doing it in the zimbra openldap?

To fight against attacks, basically the only things I am aware of are:
- fail2ban
- DOS Filter
- Login policies via COS
User avatar
zimico
Advanced member
Advanced member
Posts: 114
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.12
Contact:

Re: Brute force attack & SPAM configuration

Postby zimico » Mon Oct 01, 2018 1:49 pm

How do you know that hacker is using more than one million IPs?
Regards,
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1993
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: Brute force attack & SPAM configuration

Postby L. Mark Stone » Mon Oct 01, 2018 2:04 pm

One strategy here is to configure account lockout policies such that DoSFilter (or fail2ban) starts throttling/blocking requests before the mailbox is locked out.

In that way, a legitimate remote user will not be locked out by a hacker doing a fast-paced dictionary attack.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
User avatar
zimico
Advanced member
Advanced member
Posts: 114
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.12
Contact:

Re: Brute force attack & SPAM configuration

Postby zimico » Tue Oct 02, 2018 1:10 pm

L. Mark Stone wrote:One strategy here is to configure account lockout policies such that DoSFilter (or fail2ban) starts throttling/blocking requests before the mailbox is locked out.

In that way, a legitimate remote user will not be locked out by a hacker doing a fast-paced dictionary attack.

Hope that helps,
Mark

I tested DOSfilter and lockout policy. DOSfilter blocks bad IP but account is still locked out. Do you have the same issue Mark?
Best regards.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1993
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: Brute force attack & SPAM configuration

Postby L. Mark Stone » Tue Oct 02, 2018 1:16 pm

zimico wrote:
L. Mark Stone wrote:One strategy here is to configure account lockout policies such that DoSFilter (or fail2ban) starts throttling/blocking requests before the mailbox is locked out.

In that way, a legitimate remote user will not be locked out by a hacker doing a fast-paced dictionary attack.

Hope that helps,
Mark

I tested DOSfilter and lockout policy. DOSfilter blocks bad IP but account is still locked out. Do you have the same issue Mark?
Best regards.


I do not have the same issue, because I configure DoSFilter to block the IP before the account is locked out -- assuming all the bad attempts come from one IP address. If it is a distributed attack from many IP addresses simultaneously, then yes, the mailbox will likely be locked out.

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
eowhinn
Posts: 1
Joined: Tue Oct 02, 2018 3:36 pm

Re: Brute force attack & SPAM configuration

Postby eowhinn » Tue Oct 02, 2018 3:41 pm

Dear, I am following your recommendations and install fail2ban according to your instructions, but when I want to launch fail2ban I get the following:

Starting fail2ban: ERROR Error in action definition iptables-allports[name=Zimbra-account]
ERROR Errors in jail 'zimbra-account'. Skipping...
ERROR Error in action definition iptables-allports[name=Zimbra-audit]
ERROR Errors in jail 'zimbra-audit'. Skipping...
[FAILED]

please give me a hand regards.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1993
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: Brute force attack & SPAM configuration

Postby L. Mark Stone » Tue Oct 02, 2018 5:19 pm

eowhinn wrote:Dear, I am following your recommendations and install fail2ban according to your instructions, but when I want to launch fail2ban I get the following:

Starting fail2ban: ERROR Error in action definition iptables-allports[name=Zimbra-account]
ERROR Errors in jail 'zimbra-account'. Skipping...
ERROR Error in action definition iptables-allports[name=Zimbra-audit]
ERROR Errors in jail 'zimbra-audit'. Skipping...
[FAILED]

please give me a hand regards.


You have errors in your fail2ban configuration files. If you use Google to search for "zimbra fail2ban" you'll get lots of hits with actual jail file suggestions.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: zimico and 17 guests