Brute force agains Web Service

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
mrgreiner
Posts: 23
Joined: Sat Sep 13, 2014 2:56 am

Brute force agains Web Service

Postby mrgreiner » Tue Jul 28, 2020 5:45 pm

Hi,

I know this has been asked before, but I haven't seen a good answer yet.

I have a ZCS 8.7 (fully patched) install on Centos 6.10, including zmauditswatch and fail2ban. My logs are also sent to a central syslog server, where they are analyzed by OSSEC.

My problem is that someone collected a number of valid email addresses (probably on a web page, some mail list we had or whatever) and keeps brute forcing them against the webserver (https, not smtp). This way, some accounts keep getting blocked with some frequency. Fail2ban is useless in this case, since the logs of the webserver only show the IP of the server itself. Example:

Jul 28 10:10:26 200.145.62.17 saslauthd[4374]: do_auth : auth failure: [user=<user>@<domain>] [service=smtp] [realm=<domain>] [mech=zimbra] [reason=Unknown]
Jul 28 10:10:26 200.145.62.17 saslauthd[4374]: auth_zimbra: <user>@<domain> auth failed: authentication failed for [<user>@<domain>]
Jul 28 10:10:26 200.145.62.17 saslauthd[4365]: do_auth : auth failure: [user=<user>@<domain>] [service=smtp] [realm=<domain>] [mech=zimbra] [reason=Unknown]
Jul 28 10:10:26 200.145.62.17 saslauthd[4365]: auth_zimbra: <user>@<domain> auth failed: authentication failed for [<user>@<domain>]
Jul 28 10:10:26 200.145.62.17 saslauthd[4365]: zmpost: url='https://<domain>:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [<user>@<domain>]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp2036958521-9288:1595941826170:91f2778a2cca4d47</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''

I would like to provide fail2ban the IP form where those attempts are coming, but nowhere do I get the information to find that out. How do I block these? I'm getting a lot of those attempts, and sooner or later it will get some entry right, and my server will (probably) be used for spam :-(


User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2185
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: Brute force agains Web Service

Postby L. Mark Stone » Tue Jul 28, 2020 7:29 pm

Sounds like you are not configured to log the originating IP address.

https://wiki.zimbra.com/wiki/Log_Files# ... inating_IP

...and if you are interested:
https://www.missioncriticalemail.com/20 ... sion-only/
https://www.missioncriticalemail.com/20 ... -together/

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
mrgreiner
Posts: 23
Joined: Sat Sep 13, 2014 2:56 am

Re: Brute force agains Web Service

Postby mrgreiner » Tue Jul 28, 2020 8:43 pm

It worked.

The IP addresses are showing in the logs, as explained in the page. Now I will work in tuning fail2ban to properly use that information.

Tks.

Roberto

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 10 guests