DoS Filter and IMAP / POP3

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
xmana
Posts: 12
Joined: Tue Mar 21, 2017 12:58 pm

DoS Filter and IMAP / POP3

Postby xmana » Wed Jan 23, 2019 1:45 pm

Good day!

There was a problem, I do not know in which direction to dig, tell me, who knows ...

First, a little configuration:

Code: Select all

[zimbra@mail ~]$ zmcontrol -v
Release 8.8.11_GA_3737.RHEL6_64_20181207111719 RHEL6_64 FOSS edition, Patch 8.8.11_P1.


Code: Select all

[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterDelayMillis
zimbraHttpDosFilterDelayMillis: -1
[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterMaxRequestsPerSec
zimbraHttpDosFilterMaxRequestsPerSec: 30


Code: Select all

[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 4320
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterMaxFailedLogin
zimbraInvalidLoginFilterMaxFailedLogin: 3
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 3


The situation is as follows.
With this configuration, ip addresses that fall under the current DoS Filter settings are blocked. But only those addresses that are seen in brute force through the web interface are locked ....
All other unsuccessful authentications are ignored (POP3, IMAP etc.)

A few examples (cat mailbox.log | grep ...):

lock on brute force via the web (in this case, everything is fine):

Code: Select all

2019-01-22 18:15:43,341 INFO  [qtp1286783232-137:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=70194024;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:15:43,341 INFO  [qtp1286783232-137:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=70194024;] soap - AuthRequest elapsed=9
2019-01-22 18:16:11,091 INFO  [qtp1286783232-182:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940a1;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:16:11,091 INFO  [qtp1286783232-182:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940a1;] soap - AuthRequest elapsed=7
2019-01-22 18:16:36,000 INFO  [qtp1286783232-201:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940d5;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:16:36,000 INFO  [qtp1286783232-201:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940d5;] soap - AuthRequest elapsed=5
2019-01-22 18:17:07,672 INFO  [qtp1286783232-216:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940f4;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:17:07,673 INFO  [qtp1286783232-216:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940f4;] soap - AuthRequest elapsed=4
2019-01-22 18:17:22,648 INFO  [qtp1286783232-392:http://localhost:8080/service/soap/AuthRequest] [] misc - Access from IP 178.133.40.218 suspended, for repeated failed login.
2019-01-22 18:17:26,728 INFO  [qtp1286783232-182:http://localhost:8080/service/soap/AuthRequest] [] misc - Access from IP 178.133.40.218 suspended, for repeated failed login.


brute force through the client (IMAP) - DoS Filter does not work:

Code: Select all

2019-01-22 17:57:43,536 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=11;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 17:58:00,336 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=12;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 17:58:14,972 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=13;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 17:58:31,515 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=14;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 18:01:18,442 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=21;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 18:01:39,658 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=23;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:43,915 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=24;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:48,225 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=25;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:50,482 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=26;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:52,865 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=27;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:55,387 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=28;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:58,690 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=29;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:02:03,841 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=30;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:03:11,301 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=31;] imap - authentication failed for [user2@domain.com] (account lockout)


the same with the POP3

Tell me, how can this be fixed?

thn'x


Laragio
Posts: 16
Joined: Fri Oct 17, 2014 2:43 am

Re: DoS Filter and IMAP / POP3

Postby Laragio » Tue Mar 24, 2020 5:29 pm

Hi,
I have the same problem. I can't get the DoS filter work for IMAP/POP3 neither for the web.

Any help?
--
Laragio
awsgnalla
Posts: 7
Joined: Thu Jun 11, 2020 4:25 am

Re: DoS Filter and IMAP / POP3

Postby awsgnalla » Thu Jun 11, 2020 2:18 pm

Hi,

I got the same problem of not seeing any suspended IP's when testing the Zimbra DoS Filter if it indeed really works.
I followed the configurations values in this blog post:
https://www.missioncriticalemail.com/20 ... -together/

cat ~/log/mailbox.log | grep "suspended, for repeated failed login." This doesn't show any IP's suspended after testing failed authentication of an active
account via webmail and mail client.
[zimbra@mail ~]$ cat ~/log/mailbox.log | grep "suspended, for repeated failed login."
[zimbra@mail ~]$

Any insight or help is very much appreciated.

Thanks,

Gio
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2198
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: DoS Filter and IMAP / POP3

Postby L. Mark Stone » Thu Jun 11, 2020 2:55 pm

awsgnalla wrote:Hi,

I got the same problem of not seeing any suspended IP's when testing the Zimbra DoS Filter if it indeed really works.
I followed the configurations values in this blog post:
https://www.missioncriticalemail.com/20 ... -together/

cat ~/log/mailbox.log | grep "suspended, for repeated failed login." This doesn't show any IP's suspended after testing failed authentication of an active
account via webmail and mail client.
[zimbra@mail ~]$ cat ~/log/mailbox.log | grep "suspended, for repeated failed login."
[zimbra@mail ~]$

Any insight or help is very much appreciated.

Thanks,

Gio


Post up your settings and happy to take a look!
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
awsgnalla
Posts: 7
Joined: Thu Jun 11, 2020 4:25 am

Re: DoS Filter and IMAP / POP3

Postby awsgnalla » Fri Jun 12, 2020 4:37 am

Hi Mark,


Thank you for your response.
Here are the settings:

[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterMaxRequestsPerSec
zimbraHttpDosFilterMaxRequestsPerSec: 100
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 30
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterMaxFailedLogin
zimbraInvalidLoginFilterMaxFailedLogin: 10
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 5
[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterDelayMillis
zimbraHttpDosFilterDelayMillis: 20

Class of Service > > Advanced > Failed Login Policy :

https://www.screencast.com/t/dxhPRecZP

Thanks,

Gio
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2198
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: DoS Filter and IMAP / POP3

Postby L. Mark Stone » Fri Jun 12, 2020 9:11 pm

awsgnalla wrote:Hi Mark,


Thank you for your response.
Here are the settings:

[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterMaxRequestsPerSec
zimbraHttpDosFilterMaxRequestsPerSec: 100
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 30
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterMaxFailedLogin
zimbraInvalidLoginFilterMaxFailedLogin: 10
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 5
[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterDelayMillis
zimbraHttpDosFilterDelayMillis: 20

Class of Service > > Advanced > Failed Login Policy :

https://www.screencast.com/t/dxhPRecZP

Thanks,

Gio


Hi Gio,

Those settings look fine, except zimbraHttpDosFilterMaxRequestsPerSec, which I would recommend setting to 250. Otherwise you may get some errors when using the Admin Console.

To confirm operation, I would create a test account, and then take your laptop to the parking lot of a store so you can use their wireless. Make repeated bad tries logging in, until the account is locked out or your IP is blocked. Then, tether your phone to your laptop (or come back home) to change your IP address, log in to the Admin Console, see if the test account is locked out, and ssh in to the server and look in mailbox.log for the DoSFilter entries.

The trick is you want to block an IP before you lock out the mailbox, so maybe set zimbraInvalidLoginFilterMaxFailedLogin a little lower, to like 5 or similar. It should be less than what you have for your failed lockout policy.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
awsgnalla
Posts: 7
Joined: Thu Jun 11, 2020 4:25 am

Re: DoS Filter and IMAP / POP3

Postby awsgnalla » Sun Aug 09, 2020 11:25 am

Hello Mark,


I 've changed zimbraHttpDosFilterMaxRequestsPerSec settings to 250. I've tested this on our test Zimbra mailserver instead of the live environment.
It's still not blocking/suspending IP's when making bad tries login.


$ cat ~/log/mailbox.log | grep "authentication failed"
3737;soapId=473535ab;] SoapEngine - handler exception: authentication failed for [aws@domain.com, invalid password
2020-08-09 16:40:33,921 INFO [qtp1286783232-156:http://localhost:8080/service/soap/AuthRequest] [name=aws@domain.com;oip=180.235.133.70;ua=zclient/8.8.11_GA_3737;soapId=473535ad;] SoapEngine - handler exception: authentication failed for [aws@domain.com, invalid password
2020-08-09 16:40:37,594 INFO [qtp1286783232-159:http://localhost:8080/service/soap/AuthRequest] [name=aws@domain.com;oip=180.235.133.70;ua=zclient/8.8.11_GA_3737;soapId=473535af;] SoapEngine - handler exception: authentication failed for [aws@domain.com, invalid password
2020-08-09 16:40:40,262 INFO [qtp1286783232-19:http://localhost:8080/service/soap/AuthRequest] [name=aws@domain.com;oip=180.235.133.70;ua=zclient/8.8.11_GA_3737;soapId=473535b1;] SoapEngine - handler exception: authentication failed for [aws@domain.com, account lockout

$ cat ~/log/mailbox.log | grep "suspended, for repeated failed login."


Any insight or help is very much appreciated.

Thanks,

Gio

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 12 guests