Hey, guys,
Kind of missing something, or wrong configuration. Where could I find authentication error log statements, when user logs into web client interface?
audit.log file does have entries if IMAP, CalDAV, WebDAV, SMTP authentication is going on, but no signs (whether successful or failed) of authentication event via Web interface login form. Could anybody help spotting this issue? mailbox.log - do not give auth errors too.
[SOLVED] No authentication error logs web client
-
j2b
- Advanced member
- Posts: 187
- Joined: Fri Sep 12, 2014 11:45 pm
- ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU12.64 U
[SOLVED] No authentication error logs web client
Last edited by j2b on Tue Jan 17, 2017 9:39 am, edited 1 time in total.
Re: No authentication error logs web client
I think that the authentication entries are in mailbox.log if I'm not mistaken.
Rich
Rich
-
j2b
- Advanced member
- Posts: 187
- Joined: Fri Sep 12, 2014 11:45 pm
- ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU12.64 U
Re: No authentication error logs web client
Thank you Rich, for hint. Unfortunately - no.
I tailed mailbox.log. When auth is successfull, there's a bunch log entries to /service/soab/GetInfoRequest. Amongst them - there are /service/soap/AuthRequest requests, indicating external oip and user name. Assuming this, such log entry can be used just to track, that user has successfully logged in and from which IP address, User agent, etc.
Regarding AuthRequests - I cannot find information, what's the last element in log entry - 'elapsed=X', where X is numbers.
And the opposite - during logout, there's a notice about /service/soap/EndSessionRequest.
By this, I may catch the fact, that user has successfully authenticated, and due to activity in mailbox.log and proxy server nginx.access.log/nginx.log timestamps gather activity, that some resources get downloaded (img, css, js, etc.). Yet, in Nginx log, there's a POST event, corresponding to event in mailbox.log, during /service/soap/AuthRequest. But that's in case, we have rare authentication events. Yet, there's no option to tie together Nginx and mailbox.log data to a single account, as during a second, there may be several authentications to different accounts. This helps a little, as we can distinguish oip, but not very much, if users are logging on via NATted network and single gateway IP. All 10 users may go at the same time.
Now, what I was looking for - there are no signs of wrong web ui password entry. No auth errors in mailbox.log, nor audit.log files. The only way to find out, that somebody is trying to guess web ui pass, or trying to penetrate login form, is to follow POST requests in Nginx (Zimbra Proxy) log files, which do give sign of difference. But no user account at this point available, as well, as I cannot warranty, that tailing URIs are the right way to watch logs.
The difference between failed and success POST event (further only static resources loaded, added sessinon ID, but I cannot find, if there's any use of session ID. No related info in audit.log nor mailbox.log according to session ID.:
Failed login POST:
Or, I can identify IP address (if URI filtering could be reliable), that missed web ui login, but cannot relate it to particular account.
At this point I'm stuck. There should be something, or how does Zimbra count unsuccessfull logins, including web ui, to introduce automatic lockout?
What I want to achieve, is pick logs, and find IP addresses and account names, that get false authentication - penetration, brute force, etc. IMAP/SMPT - no problems here. But cannot find how to count wrong logins for particular account via web UI.
Once again, once login is successful, activity can be seen in different places, but at some point it's hard to link it to particular account. But once login is not successful - cannot find ability to link it to particular account, to account failed ones.
Thanks, if anybody can advise on this.
Janis
I tailed mailbox.log. When auth is successfull, there's a bunch log entries to /service/soab/GetInfoRequest. Amongst them - there are /service/soap/AuthRequest requests, indicating external oip and user name. Assuming this, such log entry can be used just to track, that user has successfully logged in and from which IP address, User agent, etc.
Regarding AuthRequests - I cannot find information, what's the last element in log entry - 'elapsed=X', where X is numbers.
And the opposite - during logout, there's a notice about /service/soap/EndSessionRequest.
By this, I may catch the fact, that user has successfully authenticated, and due to activity in mailbox.log and proxy server nginx.access.log/nginx.log timestamps gather activity, that some resources get downloaded (img, css, js, etc.). Yet, in Nginx log, there's a POST event, corresponding to event in mailbox.log, during /service/soap/AuthRequest. But that's in case, we have rare authentication events. Yet, there's no option to tie together Nginx and mailbox.log data to a single account, as during a second, there may be several authentications to different accounts. This helps a little, as we can distinguish oip, but not very much, if users are logging on via NATted network and single gateway IP. All 10 users may go at the same time.
Now, what I was looking for - there are no signs of wrong web ui password entry. No auth errors in mailbox.log, nor audit.log files. The only way to find out, that somebody is trying to guess web ui pass, or trying to penetrate login form, is to follow POST requests in Nginx (Zimbra Proxy) log files, which do give sign of difference. But no user account at this point available, as well, as I cannot warranty, that tailing URIs are the right way to watch logs.
The difference between failed and success POST event (further only static resources loaded, added sessinon ID, but I cannot find, if there's any use of session ID. No related info in audit.log nor mailbox.log according to session ID.:
Failed login POST:
Success login POST:{remote-host-ip}:50246 - - [16/Jan/2017:21:05:05 +0200] "POST / HTTP/1.1" 200 12625 "https://zcs.example.com/?loginOp=logout" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" "{internal-mailbox-ip}:8080"
So, from these log entries, the only way, to find out, that web ui login was failure, is look for /?loginOp=logout string in URI, where in success auth no uri at all. Further down the stream of successful login, there's GET entry, picking ./contacts URI, which by chance indicate account name (/home/{username}/Contacts?...), but this at particular timestamp, may be related to any other sessions, that at single point of time might have success in auth.{remote-host-ip}:50246 - - [16/Jan/2017:21:06:09 +0200] "POST / HTTP/1.1" 302 729 "https://zcs.example.com/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" "{internal-mailbox-ip}:8080"
Or, I can identify IP address (if URI filtering could be reliable), that missed web ui login, but cannot relate it to particular account.
At this point I'm stuck. There should be something, or how does Zimbra count unsuccessfull logins, including web ui, to introduce automatic lockout?
What I want to achieve, is pick logs, and find IP addresses and account names, that get false authentication - penetration, brute force, etc. IMAP/SMPT - no problems here. But cannot find how to count wrong logins for particular account via web UI.
Once again, once login is successful, activity can be seen in different places, but at some point it's hard to link it to particular account. But once login is not successful - cannot find ability to link it to particular account, to account failed ones.
Thanks, if anybody can advise on this.
Janis
-
j2b
- Advanced member
- Posts: 187
- Joined: Fri Sep 12, 2014 11:45 pm
- ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU12.64 U
Re: No authentication error logs web client
Apologies for all. I messed up - where to look for. The situation was due to several mailboxes in play, and I was just looking at audit.log on mailbox, which holds particular user account. It turns out, that web ui auth log errors are logged in audit.log file. You just have to tail all audit.log files, to get the idea. As it seems, that audit.log file is appended on the mailbox, that's doing auth for particular user. And it should not hold this user's mail account.
Issue solved.
Issue solved.