Page 1 of 1

DoS Filter and IMAP / POP3

Posted: Wed Jan 23, 2019 1:45 pm
by xmana
Good day!

There was a problem, I do not know in which direction to dig, tell me, who knows ...

First, a little configuration:

Code: Select all

[zimbra@mail ~]$ zmcontrol -v
Release 8.8.11_GA_3737.RHEL6_64_20181207111719 RHEL6_64 FOSS edition, Patch 8.8.11_P1.


Code: Select all

[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterDelayMillis
zimbraHttpDosFilterDelayMillis: -1
[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterMaxRequestsPerSec
zimbraHttpDosFilterMaxRequestsPerSec: 30


Code: Select all

[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 4320
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterMaxFailedLogin
zimbraInvalidLoginFilterMaxFailedLogin: 3
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 3


The situation is as follows.
With this configuration, ip addresses that fall under the current DoS Filter settings are blocked. But only those addresses that are seen in brute force through the web interface are locked ....
All other unsuccessful authentications are ignored (POP3, IMAP etc.)

A few examples (cat mailbox.log | grep ...):

lock on brute force via the web (in this case, everything is fine):

Code: Select all

2019-01-22 18:15:43,341 INFO  [qtp1286783232-137:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=70194024;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:15:43,341 INFO  [qtp1286783232-137:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=70194024;] soap - AuthRequest elapsed=9
2019-01-22 18:16:11,091 INFO  [qtp1286783232-182:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940a1;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:16:11,091 INFO  [qtp1286783232-182:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940a1;] soap - AuthRequest elapsed=7
2019-01-22 18:16:36,000 INFO  [qtp1286783232-201:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940d5;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:16:36,000 INFO  [qtp1286783232-201:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940d5;] soap - AuthRequest elapsed=5
2019-01-22 18:17:07,672 INFO  [qtp1286783232-216:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940f4;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:17:07,673 INFO  [qtp1286783232-216:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940f4;] soap - AuthRequest elapsed=4
2019-01-22 18:17:22,648 INFO  [qtp1286783232-392:http://localhost:8080/service/soap/AuthRequest] [] misc - Access from IP 178.133.40.218 suspended, for repeated failed login.
2019-01-22 18:17:26,728 INFO  [qtp1286783232-182:http://localhost:8080/service/soap/AuthRequest] [] misc - Access from IP 178.133.40.218 suspended, for repeated failed login.


brute force through the client (IMAP) - DoS Filter does not work:

Code: Select all

2019-01-22 17:57:43,536 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=11;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 17:58:00,336 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=12;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 17:58:14,972 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=13;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 17:58:31,515 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=14;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 18:01:18,442 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=21;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 18:01:39,658 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=23;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:43,915 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=24;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:48,225 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=25;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:50,482 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=26;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:52,865 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=27;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:55,387 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=28;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:58,690 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=29;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:02:03,841 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=30;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:03:11,301 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=31;] imap - authentication failed for [user2@domain.com] (account lockout)


the same with the POP3

Tell me, how can this be fixed?

thn'x

Re: DoS Filter and IMAP / POP3

Posted: Tue Mar 24, 2020 5:29 pm
by Laragio
Hi,
I have the same problem. I can't get the DoS filter work for IMAP/POP3 neither for the web.

Any help?
--
Laragio

Re: DoS Filter and IMAP / POP3

Posted: Thu Jun 11, 2020 2:18 pm
by awsgnalla
Hi,

I got the same problem of not seeing any suspended IP's when testing the Zimbra DoS Filter if it indeed really works.
I followed the configurations values in this blog post:
https://www.missioncriticalemail.com/20 ... -together/

cat ~/log/mailbox.log | grep "suspended, for repeated failed login." This doesn't show any IP's suspended after testing failed authentication of an active
account via webmail and mail client.
[zimbra@mail ~]$ cat ~/log/mailbox.log | grep "suspended, for repeated failed login."
[zimbra@mail ~]$

Any insight or help is very much appreciated.

Thanks,

Gio

Re: DoS Filter and IMAP / POP3

Posted: Thu Jun 11, 2020 2:55 pm
by L. Mark Stone
awsgnalla wrote:Hi,

I got the same problem of not seeing any suspended IP's when testing the Zimbra DoS Filter if it indeed really works.
I followed the configurations values in this blog post:
https://www.missioncriticalemail.com/20 ... -together/

cat ~/log/mailbox.log | grep "suspended, for repeated failed login." This doesn't show any IP's suspended after testing failed authentication of an active
account via webmail and mail client.
[zimbra@mail ~]$ cat ~/log/mailbox.log | grep "suspended, for repeated failed login."
[zimbra@mail ~]$

Any insight or help is very much appreciated.

Thanks,

Gio


Post up your settings and happy to take a look!

Re: DoS Filter and IMAP / POP3

Posted: Fri Jun 12, 2020 4:37 am
by awsgnalla
Hi Mark,


Thank you for your response.
Here are the settings:

[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterMaxRequestsPerSec
zimbraHttpDosFilterMaxRequestsPerSec: 100
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 30
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterMaxFailedLogin
zimbraInvalidLoginFilterMaxFailedLogin: 10
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 5
[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterDelayMillis
zimbraHttpDosFilterDelayMillis: 20

Class of Service > > Advanced > Failed Login Policy :

https://www.screencast.com/t/dxhPRecZP

Thanks,

Gio

Re: DoS Filter and IMAP / POP3

Posted: Fri Jun 12, 2020 9:11 pm
by L. Mark Stone
awsgnalla wrote:Hi Mark,


Thank you for your response.
Here are the settings:

[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterMaxRequestsPerSec
zimbraHttpDosFilterMaxRequestsPerSec: 100
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 30
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterMaxFailedLogin
zimbraInvalidLoginFilterMaxFailedLogin: 10
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 5
[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterDelayMillis
zimbraHttpDosFilterDelayMillis: 20

Class of Service > > Advanced > Failed Login Policy :

https://www.screencast.com/t/dxhPRecZP

Thanks,

Gio


Hi Gio,

Those settings look fine, except zimbraHttpDosFilterMaxRequestsPerSec, which I would recommend setting to 250. Otherwise you may get some errors when using the Admin Console.

To confirm operation, I would create a test account, and then take your laptop to the parking lot of a store so you can use their wireless. Make repeated bad tries logging in, until the account is locked out or your IP is blocked. Then, tether your phone to your laptop (or come back home) to change your IP address, log in to the Admin Console, see if the test account is locked out, and ssh in to the server and look in mailbox.log for the DoSFilter entries.

The trick is you want to block an IP before you lock out the mailbox, so maybe set zimbraInvalidLoginFilterMaxFailedLogin a little lower, to like 5 or similar. It should be less than what you have for your failed lockout policy.

Hope that helps,
Mark

Re: DoS Filter and IMAP / POP3

Posted: Sun Aug 09, 2020 11:25 am
by awsgnalla
Hello Mark,


I 've changed zimbraHttpDosFilterMaxRequestsPerSec settings to 250. I've tested this on our test Zimbra mailserver instead of the live environment.
It's still not blocking/suspending IP's when making bad tries login.


$ cat ~/log/mailbox.log | grep "authentication failed"
3737;soapId=473535ab;] SoapEngine - handler exception: authentication failed for [aws@domain.com, invalid password
2020-08-09 16:40:33,921 INFO [qtp1286783232-156:http://localhost:8080/service/soap/AuthRequest] [name=aws@domain.com;oip=180.235.133.70;ua=zclient/8.8.11_GA_3737;soapId=473535ad;] SoapEngine - handler exception: authentication failed for [aws@domain.com, invalid password
2020-08-09 16:40:37,594 INFO [qtp1286783232-159:http://localhost:8080/service/soap/AuthRequest] [name=aws@domain.com;oip=180.235.133.70;ua=zclient/8.8.11_GA_3737;soapId=473535af;] SoapEngine - handler exception: authentication failed for [aws@domain.com, invalid password
2020-08-09 16:40:40,262 INFO [qtp1286783232-19:http://localhost:8080/service/soap/AuthRequest] [name=aws@domain.com;oip=180.235.133.70;ua=zclient/8.8.11_GA_3737;soapId=473535b1;] SoapEngine - handler exception: authentication failed for [aws@domain.com, account lockout

$ cat ~/log/mailbox.log | grep "suspended, for repeated failed login."


Any insight or help is very much appreciated.

Thanks,

Gio

Re: DoS Filter and IMAP / POP3

Posted: Tue Apr 13, 2021 10:37 am
by pasco
Any solutions yet? I have the same problem.

Nothing with

cat ~/log/mailbox.log | grep "suspended, for repeated failed login."

but a bunch of entries with

cat ~/log/mailbox.log | grep "authentication failed"

like this one:
d3546b;] SoapEngine - handler exception: authentication failed for [tecnico@mail.example.com], account not found
2021-04-13 12:32:26,103 INFO [qtp66233253-248:https:https://mail.example.com:7073/service/admin/soap/] [ip=<Zimbra IP>;port=50606;soapId=17