Is this normal?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
guti19840
Posts: 16
Joined: Thu Feb 26, 2015 2:29 pm

Is this normal?

Post by guti19840 »

Every 1,0s: tail -n1000 /var/log/zimbra.log | grep auth_zimbra: Fri Sep 28 01:55:23 2018

Sep 28 01:00:40 correo saslauthd[6285]: auth_zimbra: test auth failed: authentication failed for [test]
Sep 28 01:01:53 correo saslauthd[6287]: auth_zimbra: admin auth failed: authentication failed for [admi
n]
Sep 28 01:03:23 correo saslauthd[6283]: auth_zimbra: root auth failed: authentication failed for [root]
Sep 28 01:04:32 correo saslauthd[6285]: auth_zimbra: info auth failed: authentication failed for [info]
Sep 28 01:05:38 correo saslauthd[6284]: auth_zimbra: postmaster auth failed: authentication failed for
[postmaster]
Sep 28 01:06:55 correo saslauthd[6282]: auth_zimbra: teste123 auth failed: authentication failed for [t
este123]
Sep 28 01:07:18 correo saslauthd[6283]: auth_zimbra: test auth failed: authentication failed for [test]
Sep 28 01:08:05 correo saslauthd[6285]: auth_zimbra: admin auth failed: authentication failed for [admi
n]
Sep 28 01:09:18 correo saslauthd[6284]: auth_zimbra: root auth failed: authentication failed for [root]
Sep 28 01:10:41 correo saslauthd[6283]: auth_zimbra: info auth failed: authentication failed for [info]
Sep 28 01:11:53 correo saslauthd[6285]: auth_zimbra: postmaster auth failed: authentication failed for
[postmaster]
Sep 28 01:13:10 correo saslauthd[6287]: auth_zimbra: test auth failed: authentication failed for [test]
Sep 28 01:14:20 correo saslauthd[6282]: auth_zimbra: admin auth failed: authentication failed for [admi
n]
Sep 28 01:14:59 correo saslauthd[6283]: auth_zimbra: hpword auth failed: authentication failed for [hpw
ord]
Sep 28 01:15:37 correo saslauthd[6284]: auth_zimbra: root auth failed: authentication failed for [root]
Sep 28 01:19:24 correo saslauthd[6282]: auth_zimbra: test auth failed: authentication failed for [test]
Sep 28 01:20:36 correo saslauthd[6283]: auth_zimbra: admin auth failed: authentication failed for [admi
n]

zmcontrol -v
Release 8.7.11.GA.1854.UBUNTU16.64 UBUNTU16_64 FOSS edition.

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: Is this normal?

Post by DualBoot »

brute force in progress
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Is this normal?

Post by L. Mark Stone »

Brute force in progress, as DualBoot said.

This is a good use case for fail2ban or DoSFilter....

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Jordack
Posts: 34
Joined: Sat Sep 13, 2014 2:15 am

Re: Is this normal?

Post by Jordack »

If you put something on the internet, someone malicious will try to log into it.

My home server has SSH open on a non standard port (security through obscurity). Fail2ban still bans at least one person/bot a month.

So is it normal? Yes. Just a normal everyday threat to the security of your internet facing device.
Post Reply