I see some brute force attempts being made to my server through the zimbra soap port 7073, this port is open for internet from my zimbra server, I read wiki article here "https://wiki.zimbra.com/wiki/Security/Collab/87" says saslauthd now listens on 7073 and this port should firewalld blocked from internet, should I close this port from internet?
brute force log:
Jan 18 22:26:43 zimbra saslauthd: zmauth: authenticating against elected url 'https://myzimbra.server.com:7073/service/admin/soap/' ...
Jan 18 22:26:43 zimbra saslauthd: zmpost: url='https://myzimbra.server.com:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [admin]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1595953398-23308:1547850403794:c49f5585b5ad6cfd</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Jan 18 22:26:43 zimbra saslauthd: auth_zimbra: admin auth failed: authentication failed for [admin]
Jan 18 22:26:43 zimbra saslauthd: do_auth : auth failure: [user=admin] [service=smtp] [realm=] [mech=zimbra] [reason=Unknown]
Jan 18 22:26:43 zimbra postfix/smtpd: warning: merenipc1.chamelon.p2.tiktalik.io[x.x.x.x]: SASL LOGIN authentication failed: authentication failure
- Zimbra Collaboration 9.0.0 now available. Read the release notes.
- Zimbra Collaboration 8.8.15 LTS now available. Read the release notes.
- Are you a Zimbra Developer? You can find some interesting stuff in our Official GitHub, Blog and the Community Github.
- Zimbra is Open Source! Read the FAQ. You can also contribute and build binary from source!
Discuss your pilot or production implementation with other Zimbra admins or our engineers.
2 posts • Page 1 of 1
- Outstanding Member
- Posts: 507
- Joined: Sat Sep 13, 2014 12:54 am
- ZCS/ZD Version: Ubuntu Release 8.8.15.GA.P10 FOSS
In my opinion, the only ports that should be open to the internet are those that are servicing your users. Email ports and the User's web interface on HTTPS. All other ports should be closed.
Who is online
Users browsing this forum: No registered users and 13 guests