[SOLVED] Distributed SASL LOGIN authentication failed

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
dik23
Outstanding Member
Outstanding Member
Posts: 264
Joined: Sat Sep 13, 2014 1:44 am

[SOLVED] Distributed SASL LOGIN authentication failed

Postby dik23 » Wed Oct 26, 2016 2:06 pm

Over the last couple of weeks I'm seeing a large number of attacks that follow the pattern:


Code: Select all

Oct 26 13:25:01 mydomain saslauthd[3819]: zmauth: authenticating against elected url 'https://mydomain.com:7071/service/admin/soap/' ...

Oct 26 13:25:01 mydomain saslauthd[3819]: zmpost: url='https://mydomain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [user.name@mydomain.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp821866309-20353:https://10.0.0.101:7071/service/admin/soap/:1477484701386:aae4520b8c7c5743</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''

Oct 26 13:25:01 mydomain saslauthd[3819]: auth_zimbra: user.name@mydomain.com auth failed: authentication failed for [user.name@mydomain.com]

Oct 26 13:25:01 mydomain saslauthd[3819]: do_auth         : auth failure: [user=user.name@mydomain.com] [service=smtp] [realm=mydomain.com] [mech=zimbra] [reason=Unknown]

Oct 26 13:25:01 mydomain postfix/smtps/smtpd[9992]: warning: SASL authentication failure: Password verification failed

Oct 26 13:25:01 mydomain postfix/smtps/smtpd[9992]: warning: unknown[197.217.75.95]: SASL PLAIN authentication failed: authentication failure


The main difference between them is the IP which is sometimes repeated a couple of time but is normally different.

This is causing problems because it's locking users out, which they find annoying. I could loosen the lockout requirements but I feel that would be a bad idea considering the large number of failed attempts each day.

Can anyone comment / help?


Thanks
Last edited by dik23 on Fri Dec 16, 2016 2:19 pm, edited 1 time in total.


User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2773
Joined: Thu May 22, 2014 4:47 pm

Re: Distributed SASL LOGIN authentication failed

Postby jorgedlcruz » Wed Oct 26, 2016 3:42 pm

Hi,
You can try by disable the port 7071 at Firewall level so people from outside can't reach it, only you by VPN, it will not do much, but something at least.

Second thing I will recommend is to configure kind of Fail2Ban or so:

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
dik23
Outstanding Member
Outstanding Member
Posts: 264
Joined: Sat Sep 13, 2014 1:44 am

Re: Distributed SASL LOGIN authentication failed

Postby dik23 » Thu Oct 27, 2016 8:21 am

Thanks for your input.

Access to 7071 has been restricted from day one.

I had a look at fail2ban but there's a couple of problems I can see with it. Firstly it's known to not work well with distributed attacks. There's little point banning an IP address if that address isn't going to be involved in future attempts.

The second problem is many of our users are at 3rd party sites. If (when) one of them enters their password incorrectly fail2ban could ban their IP and so block access for 50 other legitimate users. That would be bad. Of course I could attempt to whitelist these IPs but we're talking about very large multinationals so it would be difficult.

Any other ideas out there?
dik23
Outstanding Member
Outstanding Member
Posts: 264
Joined: Sat Sep 13, 2014 1:44 am

Re: Distributed SASL LOGIN authentication failed

Postby dik23 » Fri Dec 16, 2016 2:19 pm

If anyone's interested I found the best way to prevent this has been to use ipsets to dynamically update firewall rules for stmp and https ports
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 482
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: [SOLVED] Distributed SASL LOGIN authentication failed

Postby JDunphy » Fri Dec 16, 2016 3:22 pm

ipset is a great choice! if you create them with timeouts then you don't have to worry about taking out addresses that are from legit sites.

Code: Select all

# used by iptables to slow down smtp attacks
ipset create blacklist hash:ip hashsize 4096 timeout 900
ipset create blacklist4hr hash:ip hashsize 4096 timeout 14400

Very simple to use as in:

# Used by websites to block bots and hackers
-A INPUT -m set --match-set blacklist4hr src -j DROP

They definitely will scale for large attacks. On our servers, we see 100's per second taken out based on a simple perl script watching log files... Just a multi-tail perl module with regex's putting them in timeout for a few hours.

You add them without having to change your firewall rules and they expire automatically in 4hr in this example.

ipset add blacklist4hr X.X.X.X
evotinion
Posts: 3
Joined: Tue Jul 11, 2017 4:03 am

Re: [SOLVED] Distributed SASL LOGIN authentication failed

Postby evotinion » Tue Jul 11, 2017 4:05 am

Hi dik23,

Would you mind sharing your solution on ipset?
Last edited by evotinion on Tue Jul 11, 2017 7:34 am, edited 2 times in total.
evotinion
Posts: 3
Joined: Tue Jul 11, 2017 4:03 am

Re: Distributed SASL LOGIN authentication failed

Postby evotinion » Tue Jul 11, 2017 4:11 am

dik23 wrote:If anyone's interested I found the best way to prevent this has been to use ipsets to dynamically update firewall rules for stmp and https ports

dik23 would you mind sharing the solution?
Thanks

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 16 guests