There was a problem, I do not know in which direction to dig, tell me, who knows ...
First, a little configuration:
Code: Select all
[zimbra@mail ~]$ zmcontrol -v
Release 8.8.11_GA_3737.RHEL6_64_20181207111719 RHEL6_64 FOSS edition, Patch 8.8.11_P1.
Code: Select all
[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterDelayMillis
zimbraHttpDosFilterDelayMillis: -1
[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterMaxRequestsPerSec
zimbraHttpDosFilterMaxRequestsPerSec: 30
Code: Select all
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 4320
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterMaxFailedLogin
zimbraInvalidLoginFilterMaxFailedLogin: 3
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 3
With this configuration, ip addresses that fall under the current DoS Filter settings are blocked. But only those addresses that are seen in brute force through the web interface are locked ....
All other unsuccessful authentications are ignored (POP3, IMAP etc.)
A few examples (cat mailbox.log | grep ...):
lock on brute force via the web (in this case, everything is fine):
Code: Select all
2019-01-22 18:15:43,341 INFO [qtp1286783232-137:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=70194024;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:15:43,341 INFO [qtp1286783232-137:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=70194024;] soap - AuthRequest elapsed=9
2019-01-22 18:16:11,091 INFO [qtp1286783232-182:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940a1;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:16:11,091 INFO [qtp1286783232-182:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940a1;] soap - AuthRequest elapsed=7
2019-01-22 18:16:36,000 INFO [qtp1286783232-201:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940d5;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:16:36,000 INFO [qtp1286783232-201:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940d5;] soap - AuthRequest elapsed=5
2019-01-22 18:17:07,672 INFO [qtp1286783232-216:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940f4;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:17:07,673 INFO [qtp1286783232-216:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940f4;] soap - AuthRequest elapsed=4
2019-01-22 18:17:22,648 INFO [qtp1286783232-392:http://localhost:8080/service/soap/AuthRequest] [] misc - Access from IP 178.133.40.218 suspended, for repeated failed login.
2019-01-22 18:17:26,728 INFO [qtp1286783232-182:http://localhost:8080/service/soap/AuthRequest] [] misc - Access from IP 178.133.40.218 suspended, for repeated failed login.
Code: Select all
2019-01-22 17:57:43,536 INFO [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=11;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 17:58:00,336 INFO [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=12;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 17:58:14,972 INFO [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=13;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 17:58:31,515 INFO [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=14;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 18:01:18,442 INFO [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=21;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 18:01:39,658 INFO [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=23;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:43,915 INFO [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=24;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:48,225 INFO [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=25;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:50,482 INFO [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=26;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:52,865 INFO [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=27;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:55,387 INFO [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=28;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:58,690 INFO [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=29;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:02:03,841 INFO [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=30;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:03:11,301 INFO [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=31;] imap - authentication failed for [user2@domain.com] (account lockout)
Tell me, how can this be fixed?
thn'x