reveal IP connection source from bruteforce authentication attempt

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
gaelroma
Posts: 10
Joined: Thu Sep 27, 2018 10:56 am

reveal IP connection source from bruteforce authentication attempt

Postby gaelroma » Sat Oct 13, 2018 3:15 pm

Hello I have Zimbra behind pfsense and the public IP is Natted to the the internal IP. SplitDNS is set as well.

So the firewall is on 172.0.1.1 and the mail server on the same LAN.

I see a lot of authentication failure in the zimbra log and it says that the connection comes from ... the firewall...

I can tell you that this operation is systematically done every 5 secs with a random account.

Code: Select all

Oct 13 17:02:10 mail postfix/smtpd[11832]: connect from fw.mydomain.xxx[172.10.1.1]
Oct 13 17:02:15 mail saslauthd[3841]: zmauth: authenticating against elected url 'https://mail.mydomain.xxx:7071/service/admin/soap/' ...


I read on this forum that a solution could be use fail2ban but since the source ip is the firewall i beieve that the FW ip will be banned...

How can I let zimbra print in the log the real IP source and let fail2ban works properly?

I even blocked traffic on pfsense from 7071 port but this BOT continues its attacks.

thanks for the help.


User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1898
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.10 Network Edition
Contact:

Re: reveal IP connection source from bruteforce authentication attempt

Postby L. Mark Stone » Sun Oct 14, 2018 2:03 pm

First step is to configure Zimbra to log the originating IP address; there's a wiki for that:

https://wiki.zimbra.com/wiki/Log_Files# ... inating_IP

You don't say what version of Zimbra you are running but I am going to presume you have Zimbra proxy running (required on all supported versions now anyway).

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
gaelroma
Posts: 10
Joined: Thu Sep 27, 2018 10:56 am

Re: reveal IP connection source from bruteforce authentication attempt

Postby gaelroma » Sun Oct 14, 2018 5:12 pm

Hi Mark, thank you for your reply.

The zimbra version is 8.6. I am not running on proxy. The mail server is behind a firewall

The firewall is a PFsense machine x.x.x.1
Zimbra is on another machine x.x.x.12

On PFsense there is a NAT 1:1 to translate te public IP to the zimbra server.

I added the local IP of firewall and mail server as you suggested
zmprov mcf +zimbraMailTrustedIP x.x.x.1
zmprov mcf +zimbraMailTrustedIP x.x.x.12

restarted zmmailboxdctl but nothing changed

in the log I can see always a long list of connect from fw.mydomain.xxx[x.x.x.1]

Code: Select all

Oct 14 19:10:05 mail postfix/smtpd[9002]: connect from fw.mydomain.xxx[x.x.x.1]
Oct 14 19:10:10 mail saslauthd[3840]: zmauth: authenticating against elected url 'https://mail.mydomain.xxx:7071/service/admin/soap/' ...
Oct 14 19:10:10 mail saslauthd[3840]: zmpost: url='https://mail.mydomain.xxx:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [schuftp2@mydomain.xxx]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp2054798982-171:https://x.x.x.12:7071/service/admin/soap/:1539537010737:34f5ae85e0482ba2</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Oct 14 19:10:10 mail saslauthd[3840]: auth_zimbra: schuftp2@mydomain.xxx auth failed: authentication failed for [schuftp2@mydomain.xxx]
Oct 14 19:10:10 mail saslauthd[3840]: do_auth         : auth failure: [user=schuftp2@mydomain.xxx] [service=smtp] [realm=mydomain.xxx] [mech=zimbra] [reason=Unknown]
Oct 14 19:10:10 mail postfix/smtpd[9002]: warning: fw.mydomain.xxx[x.x.x.1]: SASL LOGIN authentication failed: authentication failure
Oct 14 19:10:11 mail postfix/smtpd[9002]: disconnect from fw.mydomain.xxx[x.x.x.1]


the hackers discovered one mail account name and they send an email to this pretending the breach.

:( cannot figure it out!!
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1898
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.10 Network Edition
Contact:

Re: reveal IP connection source from bruteforce authentication attempt

Postby L. Mark Stone » Sun Oct 14, 2018 5:54 pm

This scenario is what Zimbra’s DoSFilter or fail2ban are intended to address: block an offending IP address for some amount of time — before an account is hacked.

Probably you already know that 8.6 is past end of life, so no more security fixes.

Nginx is much better at handling this sort of nonsense than mailboxd.

If pfsense can do RBL blocking that might help; persistent attacks often come from known bad IP addresses or domains.

Hope that helps.
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
gaelroma
Posts: 10
Joined: Thu Sep 27, 2018 10:56 am

Re: reveal IP connection source from bruteforce authentication attempt

Postby gaelroma » Sun Oct 14, 2018 6:58 pm

I know that fail2ban should fix this issue.

In fact I need to reveal which IP is doing the bruteforce and ban it. Unfortunately the Zimbra log and mail log doesn't give me this information, and fail2ban rely on it.

Maybe could be a DNS configuration. But in order to work behind a firewall Zimbra must be set with SplitDNS.
axslingr
Advanced member
Advanced member
Posts: 92
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: Release 8.8.9.GA.3019.UBUNTU14.64

Re: reveal IP connection source from bruteforce authentication attempt

Postby axslingr » Sun Oct 14, 2018 11:08 pm

What do your port forwarding settings look like in pfSense?

Lance
gaelroma
Posts: 10
Joined: Thu Sep 27, 2018 10:56 am

Re: reveal IP connection source from bruteforce authentication attempt

Postby gaelroma » Mon Oct 15, 2018 7:32 am

Hi Lance,

ehm... it' empty, no rules in Port Fowarding.

The firewall rules are the following:
Reject everything execpt
80 (HTTP)
443 (HTTPS)
143 (IMAP)
993 (IMAP/S)
110 (POP3)
995 (POP3/S)
25 (SMTP)
465 (SMTP/S)
587 (SUBMISSION)
axslingr
Advanced member
Advanced member
Posts: 92
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: Release 8.8.9.GA.3019.UBUNTU14.64

Re: reveal IP connection source from bruteforce authentication attempt

Postby axslingr » Mon Oct 15, 2018 11:48 am

There's your problem. Delete those rules and port forward all of those ports to your Zimbra server.

Lance
gaelroma
Posts: 10
Joined: Thu Sep 27, 2018 10:56 am

Re: reveal IP connection source from bruteforce authentication attempt

Postby gaelroma » Mon Oct 15, 2018 7:20 pm

Hey Lance,

I did what you suggested..

rebooted both machines

but nothing changed, i have always the firewall IP in the logs...

I can see in pfsense this weird stuff in logs.
Time IF Source Destination
Oct 15 21:18 WAN [fe80::6eb2:aeff:fe01:8841] [ff02::66]:2029
axslingr
Advanced member
Advanced member
Posts: 92
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: Release 8.8.9.GA.3019.UBUNTU14.64

Re: reveal IP connection source from bruteforce authentication attempt

Postby axslingr » Mon Oct 15, 2018 8:20 pm

Ok, what does that 1:1 NAT setting look like? Do you really need that? If you only have one public ip on the WAN interface, you don't.

Lance

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 30 guests