Spam Anonymous TLS connection established from unknown

[hoangnguyen]

Hi,
English is not my first language, so please ignore my mistake.
I have a problem when I view the log on my zimbra server. There's an IP is connecting to my server, like brute force attack using port 7073:

zimbralog.png (730.97 KiB) Viewed 5824 times

I try to block that port on my firewall, block spam IP, use DDoS Filter to block IP after 5 fail login,.. but when I view the log, I still see that IP continues to connect my server using many difference users.

When I netstat on zimbra server, I only see server local IP:

zimbra_netsat.png (501.72 KiB) Viewed 5824 times

Sonebody can help me how to close port 7073, or config zimbra server to solve this problem?
Thanks.

[phoenix]

Port 7073 should not be accessible via the internet, if you really need to do any admin task then use a VPN then connect to port 7073 'locally'. For brute force attacks you should look at fail2ban (search the forums for details).

[hoangnguyen]

Thanks, phoenix.

I follow this blog: https://www.missioncriticalemail.com/20 ... -together/
And I'm waiting for the result .

[phoenix]

That's fine but what you're asking about is attempted connections to port 7073 - that is the admin port and should never be exposed on the internet. The only port(s) you need to expose are port 25 and any that are required for your user to get their email. all the rest should be blocked for your Zimbra server. I'd still suggest you look at fail2ban for a potential solution.

[hoangnguyen]

Thanks, phoenix.
Yes, I did block all ports on my firewall, just open port 25, 465 and 587 to send and receive email. And when I netstat, I only see my zimbra IP, not any public IP else. So I'm very confused. Now I will install and config fail2ban on zimbra server.

[phoenix]

So I'm very confused.

So am I by your comments. How can you be seeing a 'brute force attack' on your port 7073 if it's not exposed to the internet? Have you checked if there's any infected machines on your lo cal network? Have you also checked to see if your Zimbra server has been compromised (possibly by this viewtopic.php?f=15&t=65932)?

[hoangnguyen]

Hi phoenix,

I don't know how can they access the URL "https://mydomain:7073/...". I even use Nmap to scan my public IP, and there is nothing, except the opening ports (25,465,587).
I follow the link you give to me, use some commands to find the weird files, but I still get nothing. Everythings seem normal, except the zimbra.log.

[phoenix]

Then I guess you have an infection somewhere on your LAN. Doesn't the output of your netstat command earlier show the 'local address' and the 'foreign address' to be a LAN IP address?

[hoangnguyen]

Yes, I think so. I have to trace in my LAN. In the result of netstat command, there was only show zimbra server IP. So I think I have to scan my zimbra server, maybe using RKHunter tool.

Thanks, phoenix.