Is this normal?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
guti19840
Posts: 16
Joined: Thu Feb 26, 2015 2:29 pm

Is this normal?

Postby guti19840 » Fri Sep 28, 2018 4:56 am

Every 1,0s: tail -n1000 /var/log/zimbra.log | grep auth_zimbra: Fri Sep 28 01:55:23 2018

Sep 28 01:00:40 correo saslauthd[6285]: auth_zimbra: test auth failed: authentication failed for [test]
Sep 28 01:01:53 correo saslauthd[6287]: auth_zimbra: admin auth failed: authentication failed for [admi
n]
Sep 28 01:03:23 correo saslauthd[6283]: auth_zimbra: root auth failed: authentication failed for [root]
Sep 28 01:04:32 correo saslauthd[6285]: auth_zimbra: info auth failed: authentication failed for [info]
Sep 28 01:05:38 correo saslauthd[6284]: auth_zimbra: postmaster auth failed: authentication failed for
[postmaster]
Sep 28 01:06:55 correo saslauthd[6282]: auth_zimbra: teste123 auth failed: authentication failed for [t
este123]
Sep 28 01:07:18 correo saslauthd[6283]: auth_zimbra: test auth failed: authentication failed for [test]
Sep 28 01:08:05 correo saslauthd[6285]: auth_zimbra: admin auth failed: authentication failed for [admi
n]
Sep 28 01:09:18 correo saslauthd[6284]: auth_zimbra: root auth failed: authentication failed for [root]
Sep 28 01:10:41 correo saslauthd[6283]: auth_zimbra: info auth failed: authentication failed for [info]
Sep 28 01:11:53 correo saslauthd[6285]: auth_zimbra: postmaster auth failed: authentication failed for
[postmaster]
Sep 28 01:13:10 correo saslauthd[6287]: auth_zimbra: test auth failed: authentication failed for [test]
Sep 28 01:14:20 correo saslauthd[6282]: auth_zimbra: admin auth failed: authentication failed for [admi
n]
Sep 28 01:14:59 correo saslauthd[6283]: auth_zimbra: hpword auth failed: authentication failed for [hpw
ord]
Sep 28 01:15:37 correo saslauthd[6284]: auth_zimbra: root auth failed: authentication failed for [root]
Sep 28 01:19:24 correo saslauthd[6282]: auth_zimbra: test auth failed: authentication failed for [test]
Sep 28 01:20:36 correo saslauthd[6283]: auth_zimbra: admin auth failed: authentication failed for [admi
n]

zmcontrol -v
Release 8.7.11.GA.1854.UBUNTU16.64 UBUNTU16_64 FOSS edition.

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial


User avatar
DualBoot
Elite member
Elite member
Posts: 1073
Joined: Mon Apr 18, 2016 8:18 pm
Location: Earth
ZCS/ZD Version: ZCS FLOSS - 8.7.11 Mutli servers

Re: Is this normal?

Postby DualBoot » Fri Sep 28, 2018 8:11 am

brute force in progress
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1993
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: Is this normal?

Postby L. Mark Stone » Fri Sep 28, 2018 4:39 pm

Brute force in progress, as DualBoot said.

This is a good use case for fail2ban or DoSFilter....

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
Jordack
Posts: 28
Joined: Sat Sep 13, 2014 2:15 am

Re: Is this normal?

Postby Jordack » Sat Nov 17, 2018 8:39 pm

If you put something on the internet, someone malicious will try to log into it.

My home server has SSH open on a non standard port (security through obscurity). Fail2ban still bans at least one person/bot a month.

So is it normal? Yes. Just a normal everyday threat to the security of your internet facing device.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 15 guests