Blocking SASL logins?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
zim_mike
Outstanding Member
Outstanding Member
Posts: 217
Joined: Sat Sep 13, 2014 3:26 am

Blocking SASL logins?

Postby zim_mike » Thu Jun 11, 2020 12:49 am

I see this in the logs, 24/7, obviously spammers trying to get into our zimbra 8.8.11 servers, I guess doing some kind of dictionary attack.
Is SASL related to POPS and/or IMAPS which are all that we really allow? We only have a handful of accounts on the server, mainly for outgoing mail, notifications from a service we offer.

If SASL is not related, can it be disabled and is it worth doing so since this is the only non stop attempt that I see in the logs.

Code: Select all

Jun 10 15:28:01 mx postfix/smtps/smtpd[1353]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:01 mx postfix/smtps/smtpd[1353]: warning: unknown[80.149.41.197]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:04 mx postfix/smtps/smtpd[1353]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:04 mx postfix/smtps/smtpd[1353]: warning: unknown[80.149.41.197]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:14 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:14 mx postfix/smtps/smtpd[1357]: warning: unknown[113.172.116.1]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:31 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:31 mx postfix/smtps/smtpd[1357]: warning: unknown[14.164.186.241]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:33 mx postfix/smtps/smtpd[1842]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:33 mx postfix/smtps/smtpd[1842]: warning: mx-ll-183.89.215-245.dynamic.3bb.co.th[183.89.215.245]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:35 mx postfix/smtps/smtpd[1290]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:35 mx postfix/smtps/smtpd[1290]: warning: unknown[14.164.186.241]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:44 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:44 mx postfix/smtps/smtpd[1357]: warning: mx-ll-183.89.215-245.dynamic.3bb.co.th[183.89.215.245]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:29:09 mx postfix/smtps/smtpd[1842]: warning: SASL authentication failure: Password verification failed
Jun 10 15:29:09 mx postfix/smtps/smtpd[1842]: warning: unknown[220.156.174.161]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:29:12 mx postfix/smtps/smtpd[1290]: warning: SASL authentication failure: Password verification failed
Jun 10 15:29:12 mx postfix/smtps/smtpd[1290]: warning: node-5qw.pool-1-2.dynamic.totinternet.net[1.2.157.24]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:29:16 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed
Jun 10 15:29:16 mx postfix/smtps/smtpd[1357]: warning: node-5qw.pool-1-2.dynamic.totinternet.net[1.2.157.24]: SASL PLAIN authentication failed: authentication failure



User avatar
stefaniu.criste
Posts: 41
Joined: Wed Feb 12, 2014 5:40 am
Location: Romania
ZCS/ZD Version: 8.8.8_GA_1728 20180614052922 201806
Contact:

Re: Blocking SASL logins?

Postby stefaniu.criste » Thu Jun 11, 2020 7:18 am

Hello

we are using csf (configserver.com) as local firewall.
Zimbra is running on CentOS 6 (yes mom, we know EOL is near)

Please follow the firewall's documentation in order to properly install it.
TEST before, not to lock tourself out!

1) edit /etc/csf/csf.conf and set the following constant (it is almost at the end of configuration file)

Code: Select all

CUSTOM2_LOG = "/var/log/maillog"


2) edit /usr/local/csf/bin/regex.custom.pm and somewhere before the line that states "# Do not edit beyond this point" add

Code: Select all

# log SASL auth
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtps\/smtpd\[\d+\]: warning:.*\[($
    return ("Failed SASL login from",$1,"mysaslmatch","2","25,465,587","1");
}


Restart csf with

Code: Select all

csf -r


Restart lfd with

Code: Select all

service lfd restart

or, if you have CentOS 7+

Code: Select all

systemctl restart lfd
Stefaniu Criste - managing partner
Hangar Hosting - a safe place for your business
proudly delivering Zimbra services in Romania
User avatar
DualBoot
Elite member
Elite member
Posts: 1308
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: Blocking SASL logins?

Postby DualBoot » Thu Jun 11, 2020 7:40 am

Do not disable SASL auth unless you do not want your users to send mail with their mail client.
In your case, I think Fail2Ban could be your best friend ;)

Regards,
zim_mike
Outstanding Member
Outstanding Member
Posts: 217
Joined: Sat Sep 13, 2014 3:26 am

Re: Blocking SASL logins?

Postby zim_mike » Thu Jun 11, 2020 1:49 pm

The local firewall is firewalld so I would need more information on what it is that I'm trying to block in order to look up how to do that.

Can you give me a breakdown of what this is going. I can see it's watching the log for the warnings I posted and seems to be checking ports 25,465 and 587.
The rest is not clear. What is it looking for in terms of too many attempts in what time period, 2 minutes?

# log SASL auth
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtps\/smtpd\[\d+\]: warning:.*\[($
return ("Failed SASL login from",$1,"mysaslmatch","2","25,465,587","1");


I've read many posts from folks trying fail2ban but many say it doesn't seem to work.

We only have a handful of accounts, the server is mostly used for outgoing notifications for a service that members sign up to.
However, the few people we do have use mail clients on different devices.

I don't want to limit the road warriors but then again, they can easily call in if they get locked out and we have control of the server to get them back in.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2197
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: Blocking SASL logins?

Postby L. Mark Stone » Thu Jun 11, 2020 3:02 pm

SASL is used by IMAP/POP clients to send email on port 587 after authenticating with their Zimbra credentials.

I just did a blog post, albeit for Ubuntu's UFW, that shows how to implement fail2ban to block bad actors trying to brute force accounts using this vector.

You'll need to use your own settings for firewalld, but the regex for finding failed SASL logins will work for you.

https://www.missioncriticalemail.com/20 ... sion-only/

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
User avatar
stefaniu.criste
Posts: 41
Joined: Wed Feb 12, 2014 5:40 am
Location: Romania
ZCS/ZD Version: 8.8.8_GA_1728 20180614052922 201806
Contact:

Re: Blocking SASL logins?

Postby stefaniu.criste » Fri Jun 12, 2020 6:58 am

First of all, I must apologize for the previous post.
I have pasted an incomplete rule (trimmed by nano editor)
The correct rule is this:

Code: Select all

# log SASL auth
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtps\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL LOGIN authentication failed/)) {
    return ("Failed SASL login from",$1,"mysaslmatch","2","25,465,587","1");
}


Moving on, here are some answers:
zim_mike wrote:The local firewall is firewalld so I would need more information on what it is that I'm trying to block in order to look up how to do that.

The configuration and above rule works only for csf firewall, not firewalld. I also like firewalld, but csf suits better for my needs.





zim_mike wrote:Can you give me a breakdown of what this is going. I can see it's watching the log for the warnings I posted and seems to be checking ports 25,465 and 587.
The rest is not clear. What is it looking for in terms of too many attempts in what time period, 2 minutes?


There is an explained sample in the regex.custom.pm file.

Code: Select all

# Example:
#       if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
#               return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
#       }
#
# The return values from this example are as follows:
#
# "Failed myftpmatch login from" = text for custom failure message
# $1 = the offending IP address
# "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces
# "5" = the trigger level for blocking
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled


In the example rule, after 5 failed attempts within the general defined period (period it is set in /etc/csf/csf.conf, usually 1 hour), attacker will be blocked permanently on ports 20 and 21.
Stefaniu Criste - managing partner
Hangar Hosting - a safe place for your business
proudly delivering Zimbra services in Romania
zim_mike
Outstanding Member
Outstanding Member
Posts: 217
Joined: Sat Sep 13, 2014 3:26 am

Re: Blocking SASL logins?

Postby zim_mike » Sat Jun 13, 2020 1:33 am

Thanks for all the help. I think I am going to install fail2ban working with firewalld.
The only thing that's confusing is someone mentioned ports 20 and 21 which are not in use anywhere so not sure what this is about.
Also, it's not clear what I'll block because as someone pointed out, SASL is part of pop and imap as well so I guess those ports will be monitored.
zim_mike
Outstanding Member
Outstanding Member
Posts: 217
Joined: Sat Sep 13, 2014 3:26 am

Re: Blocking SASL logins?

Postby zim_mike » Sun Jun 14, 2020 4:24 pm

Thanks for the blog article. I bet plenty of people would appreciate the same using firewalld.
User avatar
DualBoot
Elite member
Elite member
Posts: 1308
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: Blocking SASL logins?

Postby DualBoot » Mon Jun 15, 2020 7:12 am

Block all except and monitor :
- 25 (SMTP, SMTP with auth)
- 587 (Submission)
- 22 (if need to access your server from the outside world, better use VPN or allow identified IP with private key)
- 110 (POP)
- 995 (POPS)
- 143 (IMAP)
- 993 (IMAPS)
- 80 (HTTP)
- 443 (HTTPS)
That should be enough

Regards
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2197
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: Blocking SASL logins?

Postby L. Mark Stone » Mon Jun 15, 2020 1:49 pm

zim_mike wrote:Thanks for the blog article. I bet plenty of people would appreciate the same using firewalld.


Thanks Mike,

FWIW Fail2ban also ships with several firewalld action files in /etc/fail2ban/action.d and the firewalld documentation (https://firewalld.org/documentation/how ... rvice.html) shows how to add a custom service (zimbra-submission).

It looks like the process in my blog for firewalld is the same; the only difference is the method to create the custom submission service with firewalld.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 16 guests