reveal IP connection source from bruteforce authentication attempt

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
gaelroma
Posts: 10
Joined: Thu Sep 27, 2018 10:56 am

reveal IP connection source from bruteforce authentication attempt

Post by gaelroma »

Hello I have Zimbra behind pfsense and the public IP is Natted to the the internal IP. SplitDNS is set as well.

So the firewall is on 172.0.1.1 and the mail server on the same LAN.

I see a lot of authentication failure in the zimbra log and it says that the connection comes from ... the firewall...

I can tell you that this operation is systematically done every 5 secs with a random account.

Code: Select all

Oct 13 17:02:10 mail postfix/smtpd[11832]: connect from fw.mydomain.xxx[172.10.1.1]
Oct 13 17:02:15 mail saslauthd[3841]: zmauth: authenticating against elected url 'https://mail.mydomain.xxx:7071/service/admin/soap/' ...
I read on this forum that a solution could be use fail2ban but since the source ip is the firewall i beieve that the FW ip will be banned...

How can I let zimbra print in the log the real IP source and let fail2ban works properly?

I even blocked traffic on pfsense from 7071 port but this BOT continues its attacks.

thanks for the help.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: reveal IP connection source from bruteforce authentication attempt

Post by L. Mark Stone »

First step is to configure Zimbra to log the originating IP address; there's a wiki for that:

https://wiki.zimbra.com/wiki/Log_Files# ... inating_IP

You don't say what version of Zimbra you are running but I am going to presume you have Zimbra proxy running (required on all supported versions now anyway).

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
gaelroma
Posts: 10
Joined: Thu Sep 27, 2018 10:56 am

Re: reveal IP connection source from bruteforce authentication attempt

Post by gaelroma »

Hi Mark, thank you for your reply.

The zimbra version is 8.6. I am not running on proxy. The mail server is behind a firewall

The firewall is a PFsense machine x.x.x.1
Zimbra is on another machine x.x.x.12

On PFsense there is a NAT 1:1 to translate te public IP to the zimbra server.

I added the local IP of firewall and mail server as you suggested
zmprov mcf +zimbraMailTrustedIP x.x.x.1
zmprov mcf +zimbraMailTrustedIP x.x.x.12

restarted zmmailboxdctl but nothing changed

in the log I can see always a long list of connect from fw.mydomain.xxx[x.x.x.1]

Code: Select all

Oct 14 19:10:05 mail postfix/smtpd[9002]: connect from fw.mydomain.xxx[x.x.x.1]
Oct 14 19:10:10 mail saslauthd[3840]: zmauth: authenticating against elected url 'https://mail.mydomain.xxx:7071/service/admin/soap/' ...
Oct 14 19:10:10 mail saslauthd[3840]: zmpost: url='https://mail.mydomain.xxx:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [schuftp2@mydomain.xxx]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp2054798982-171:https://x.x.x.12:7071/service/admin/soap/:1539537010737:34f5ae85e0482ba2</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Oct 14 19:10:10 mail saslauthd[3840]: auth_zimbra: schuftp2@mydomain.xxx auth failed: authentication failed for [schuftp2@mydomain.xxx]
Oct 14 19:10:10 mail saslauthd[3840]: do_auth         : auth failure: [user=schuftp2@mydomain.xxx] [service=smtp] [realm=mydomain.xxx] [mech=zimbra] [reason=Unknown]
Oct 14 19:10:10 mail postfix/smtpd[9002]: warning: fw.mydomain.xxx[x.x.x.1]: SASL LOGIN authentication failed: authentication failure
Oct 14 19:10:11 mail postfix/smtpd[9002]: disconnect from fw.mydomain.xxx[x.x.x.1]
the hackers discovered one mail account name and they send an email to this pretending the breach.

:( cannot figure it out!!
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: reveal IP connection source from bruteforce authentication attempt

Post by L. Mark Stone »

This scenario is what Zimbra’s DoSFilter or fail2ban are intended to address: block an offending IP address for some amount of time — before an account is hacked.

Probably you already know that 8.6 is past end of life, so no more security fixes.

Nginx is much better at handling this sort of nonsense than mailboxd.

If pfsense can do RBL blocking that might help; persistent attacks often come from known bad IP addresses or domains.

Hope that helps.
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
gaelroma
Posts: 10
Joined: Thu Sep 27, 2018 10:56 am

Re: reveal IP connection source from bruteforce authentication attempt

Post by gaelroma »

I know that fail2ban should fix this issue.

In fact I need to reveal which IP is doing the bruteforce and ban it. Unfortunately the Zimbra log and mail log doesn't give me this information, and fail2ban rely on it.

Maybe could be a DNS configuration. But in order to work behind a firewall Zimbra must be set with SplitDNS.
User avatar
axslingr
Outstanding Member
Outstanding Member
Posts: 256
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18

Re: reveal IP connection source from bruteforce authentication attempt

Post by axslingr »

What do your port forwarding settings look like in pfSense?

Lance
gaelroma
Posts: 10
Joined: Thu Sep 27, 2018 10:56 am

Re: reveal IP connection source from bruteforce authentication attempt

Post by gaelroma »

Hi Lance,

ehm... it' empty, no rules in Port Fowarding.

The firewall rules are the following:
Reject everything execpt
80 (HTTP)
443 (HTTPS)
143 (IMAP)
993 (IMAP/S)
110 (POP3)
995 (POP3/S)
25 (SMTP)
465 (SMTP/S)
587 (SUBMISSION)
User avatar
axslingr
Outstanding Member
Outstanding Member
Posts: 256
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18

Re: reveal IP connection source from bruteforce authentication attempt

Post by axslingr »

There's your problem. Delete those rules and port forward all of those ports to your Zimbra server.

Lance
gaelroma
Posts: 10
Joined: Thu Sep 27, 2018 10:56 am

Re: reveal IP connection source from bruteforce authentication attempt

Post by gaelroma »

Hey Lance,

I did what you suggested..

rebooted both machines

but nothing changed, i have always the firewall IP in the logs...

I can see in pfsense this weird stuff in logs.
Time IF Source Destination
Oct 15 21:18 WAN [fe80::6eb2:aeff:fe01:8841] [ff02::66]:2029
User avatar
axslingr
Outstanding Member
Outstanding Member
Posts: 256
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18

Re: reveal IP connection source from bruteforce authentication attempt

Post by axslingr »

Ok, what does that 1:1 NAT setting look like? Do you really need that? If you only have one public ip on the WAN interface, you don't.

Lance
Post Reply