Attempted compromises of specific named accounts from India

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
WasatchYeti
Posts: 2
Joined: Sun Apr 23, 2017 1:09 am

Attempted compromises of specific named accounts from India

Post by WasatchYeti »

I am hoping someone has an idea I haven't thought of, this is getting out of control.

We have accounts repeatedly being locked out because someone in India is trying to compromise the accounts and after a number of failed login attempts the accounts lock.

I am using the iptables firewall and have resorted to blocking entire /8, /16, etc address ranges.

My iptables list is now 6023 lines long as I am excluding every assigned subnet for a number of countries including:
IN, CN, RU, KR, PK, TW, SG and HK

As well, I have resorted to checking ARIN for the subnet assignment of the origination IP and if it's RIPE NCC, AFRINIC or APNIC, I am including the whole range instead of the one-off IP addresses.

The most troubling part about this is they are not trying to guess account names, they are using specific and uncommon usernames so it appears the perpetrators have a list of valid accounts to work from.

What do others do to defend their corporate email servers?

Thanks!
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Re: Attempted compromises of specific named accounts from India

Post by liverpoolfcfan »

I can also confirm that I have seen a huge rise in these attempts to compromise legitimate accounts of late.

You can use fail2ban to automate the iptables stuff but beyond that there is not much more you can do that I know of.

They have also gotten a lot more clever. I generate fail2ban emails from each ban and I can see that the attempts are all spaced out, 2 to 3 minutes apart, and originating from different ip addresses. I am banning smtpd after just one failure and still seeing 10's of these attempts per day. It used to be that 10-20 ip addresses would all try to access the server at the same time but the attacks are now far better coordinated using a much larger pool of clients in a serial fashion rather than the old multiple clients in parallel.

From the pattern I see, I suspect that there is a central control server running the show somewhere, and after each ip is banned that client is timing out on the next connection attempt from that ip address, then reporting back to the control server which then kicks off a new client somewhere else on a different ip address. The other possibility I guess is that the connections are coming from a single server through TOR or a similar ip address anonymiser.
User avatar
howanitz
Advanced member
Advanced member
Posts: 65
Joined: Mon Feb 01, 2016 9:27 am

Re: Attempted compromises of specific named accounts from India

Post by howanitz »

Seeing about 100 times more account break-in attempts in the last two weeks than I have historically. I was hoping they had just decided to pick on us.

I have a daemon alerting me to account lockouts so I can adjust our firewall and unlock accounts, but that is eating too much of my time. At this point I am hoping that enough systems are broken into that most organizations switch to 2FA and the script kiddies give up this particular tactic.

I wonder if this is not a good sales opportunity for Zimbra cloud providers, do MS Exchange systems have affordable 2FA?

I wish the time to respond to password events would increase with each failed attempt on a per user basis rather than just locking accounts. Perhaps with a whitelist of recently successful systems, or a new type of lockout that did not include systems that had previously successfully authenticated, so that only new systems were locked out.
WasatchYeti
Posts: 2
Joined: Sun Apr 23, 2017 1:09 am

Re: Attempted compromises of specific named accounts from India

Post by WasatchYeti »

I hope this will help someone else.

I wanted to add logic to automatically unlock user accounts and am not as well versed with fail2ban so decided to hack my own.

This was a hacked together solution in the middle of the heat of battle so take it for what it is...

I save this as /usr/local/bin/add_to_iptables.sh and call it from Root's crontab every minute.

Code: Select all

#!/bin/bash

# License: Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
# https://creativecommons.org/licenses/by-sa/4.0/
# Originally written by WasatchYeti
# I am happy to share this work and hope you will be happy to share any derivative works

r_VERSION=0.3

SUBNETS_TO_EXCLUDE="10\.|192\.168"
DOMAIN="yourdomain.com"
SYSCONFIG="/etc/sysconfig"
BACKUPS="$SYSCONFIG/iptables_backups"
IPTABLES="$SYSCONFIG/iptables"
[[ ! -s "${IPTABLES}_allow" ]] && touch "${IPTABLES}_allow"
TS=$(date +%m%d%Y-%H%M%S)

FOUND_DROPS=0
CHANGES=0
BLOCKED_IPS=""

IPS_TO_BLOCK=$(cat /opt/zimbra/log/audit.log | grep "authentication failed" | grep soap | egrep 'oip=[0-9]+\.[0-9]+\.[0-9]+\.[0-9]' | awk -F\; '{ print $2 }' | awk -F= '{ print $2 }' | sort | uniq -c | egrep -v "$SUBNETS_TO_EXCLUDE" | awk ' $1 > 5 { print $2 }')

while read line
do
        _fields=( $line )
        if [[ ${#_fields[@]} -eq 6 && $line =~ DROP ]]
        then
                #echo "FOUND DROPS!" >&2
                FOUND_DROPS=1
        fi

        if [[ $FOUND_DROPS -eq 1 && ! $line =~ DROP ]]
        then
                #echo "Line ! =~ DROP" >&2
                for IP in $IPS_TO_BLOCK
                do
                        if [[ ! $(grep $IP "${IPTABLES}"_allow) && \
                              ! $(grep " $IP/32 " "${IPTABLES}") && \
                              ! "$BLOCKED_IPS" =~ "$IP" ]]
                        then
                                BLOCKED_IPS="$BLOCKED_IPS $IP"
                                echo "Adding IP $IP to iptables" >&2
                                echo "-A INPUT -s ${IP}/32 -j DROP"
                                CHANGES=1
                        fi
                done
                FOUND_DROPS=2
        fi
        echo $line
done < "$IPTABLES" > "${IPTABLES}_$$"

if [[ $CHANGES -ne 0 ]]
then
        [ ! -d "$BACKUPS" ] && /bin/mkdir "$BACKUPS"
        cat "${IPTABLES}_$$" > "$IPTABLES"
        cp "$IPTABLES" "$BACKUPS/iptables_$TS"
        gzip "$BACKUPS/iptables_$TS"
        /etc/init.d/iptables reload
fi

/bin/rm "${IPTABLES}_$$"

USER_STATUS=""

for IP in $IPS_TO_BLOCK
do
        for user in $(cat /opt/zimbra/log/audit.log | grep "authentication failed" | grep soap | egrep 'oip=[0-9]+\.[0-9]+\.[0-9]+\.[0-9]' | egrep -v "$SUBNETS_TO_EXCLUDE" | awk '{ print $9 }' | awk -F= '{ print $2 }' | sed 's/;//')
        do
                if [[ "$user" =~ "$DOMAIN" ]]
                then
                        if [[ ! "$USER_STATUS" =~ "$user" ]]
                        then
                                status=$(su - zimbra -c "zmprov ga $user zimbraAccountStatus" | grep "^zimbraAccountStatus" | awk '{ print $NF }')
                                USER_STATUS="$USER_STATUS $user:$status"
                                if [[ "$status" == "locked" ]]
                                then
                                        echo "Account $user is locked, unlocking"
                                        su - zimbra -c "zmprov ma $user zimbraAccountStatus active"
                                        su - zimbra -c "zmprov ga $user zimbraAccountStatus" | grep "^zimbraAccountStatus"
                                fi
                        fi
                fi
        done
done



# Changelog
# v0.1 Initial version
# 0.2 Added unlock for user accounts
# 0.3 Adding IPs to iptables somehow ended up with multiples and adding "BLOCKED_IPS" was quicker than diagnosing why uniq isn't. :)
Post Reply