[SOLVED] Distributed SASL LOGIN authentication failed

[dik23]

Over the last couple of weeks I'm seeing a large number of attacks that follow the pattern:

Code: Select all

Oct 26 13:25:01 mydomain saslauthd[3819]: zmauth: authenticating against elected url 'https://mydomain.com:7071/service/admin/soap/' ...

Oct 26 13:25:01 mydomain saslauthd[3819]: zmpost: url='https://mydomain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [user.name@mydomain.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp821866309-20353:https://10.0.0.101:7071/service/admin/soap/:1477484701386:aae4520b8c7c5743</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''

Oct 26 13:25:01 mydomain saslauthd[3819]: auth_zimbra: user.name@mydomain.com auth failed: authentication failed for [user.name@mydomain.com]

Oct 26 13:25:01 mydomain saslauthd[3819]: do_auth         : auth failure: [user=user.name@mydomain.com] [service=smtp] [realm=mydomain.com] [mech=zimbra] [reason=Unknown]

Oct 26 13:25:01 mydomain postfix/smtps/smtpd[9992]: warning: SASL authentication failure: Password verification failed

Oct 26 13:25:01 mydomain postfix/smtps/smtpd[9992]: warning: unknown[197.217.75.95]: SASL PLAIN authentication failed: authentication failure

The main difference between them is the IP which is sometimes repeated a couple of time but is normally different.

This is causing problems because it's locking users out, which they find annoying. I could loosen the lockout requirements but I feel that would be a bad idea considering the large number of failed attempts each day.

Can anyone comment / help?


Thanks

[jorgedlcruz]

Hi,
You can try by disable the port 7071 at Firewall level so people from outside can't reach it, only you by VPN, it will not do much, but something at least.

Second thing I will recommend is to configure kind of Fail2Ban or so:

• http://linux-sys-adm.com/how-to-configu ... p-by-step/

Best regards

[dik23]

Thanks for your input.

Access to 7071 has been restricted from day one.

I had a look at fail2ban but there's a couple of problems I can see with it. Firstly it's known to not work well with distributed attacks. There's little point banning an IP address if that address isn't going to be involved in future attempts.

The second problem is many of our users are at 3rd party sites. If (when) one of them enters their password incorrectly fail2ban could ban their IP and so block access for 50 other legitimate users. That would be bad. Of course I could attempt to whitelist these IPs but we're talking about very large multinationals so it would be difficult.

Any other ideas out there?

[dik23]

If anyone's interested I found the best way to prevent this has been to use ipsets to dynamically update firewall rules for stmp and https ports

[JDunphy]

ipset is a great choice! if you create them with timeouts then you don't have to worry about taking out addresses that are from legit sites.

Code: Select all

# used by iptables to slow down smtp attacks
ipset create blacklist hash:ip hashsize 4096 timeout 900
ipset create blacklist4hr hash:ip hashsize 4096 timeout 14400

Very simple to use as in:

# Used by websites to block bots and hackers
-A INPUT -m set --match-set blacklist4hr src -j DROP

They definitely will scale for large attacks. On our servers, we see 100's per second taken out based on a simple perl script watching log files... Just a multi-tail perl module with regex's putting them in timeout for a few hours.

You add them without having to change your firewall rules and they expire automatically in 4hr in this example.

ipset add blacklist4hr X.X.X.X

[evotinion]

Hi dik23,

Would you mind sharing your solution on ipset?

[evotinion]

If anyone's interested I found the best way to prevent this has been to use ipsets to dynamically update firewall rules for stmp and https ports

dik23 would you mind sharing the solution?
Thanks

[dik23]

Some useful links:

http://xmodulo.com/block-unwanted-ip-ad ... linux.html

http://shorewall.net/ipsets.html

http://iplists.firehol.org/ - I've been using firehol_level2 on 443, 465, 587 and 993.

https://www.nova-labs.net/strong-firewa ... to-update/

Hope this helps

[evotinion]

Some useful links:

http://xmodulo.com/block-unwanted-ip-ad ... linux.html

http://shorewall.net/ipsets.html

http://iplists.firehol.org/ - I've been using firehol_level2 on 443, 465, 587 and 993.

https://www.nova-labs.net/strong-firewa ... to-update/

Hope this helps

Thanks dik23

[WebGreg]

Hello.

It's an old thread, but I still have a problem with it. I have noticed that many attackers have been mentioned here: https://mxtoolbox.com/SuperTool.aspx?ac ... n=toolpage
Has anyone configured a Zimbra with any of these services and is able to suggest how to do it?