Hi,
English is not my first language, so please ignore my mistake.
I have a problem when I view the log on my zimbra server. There's an IP is connecting to my server, like brute force attack using port 7073:
I try to block that port on my firewall, block spam IP, use DDoS Filter to block IP after 5 fail login,.. but when I view the log, I still see that IP continues to connect my server using many difference users.
When I netstat on zimbra server, I only see server local IP:
Sonebody can help me how to close port 7073, or config zimbra server to solve this problem?
Thanks.
Spam Anonymous TLS connection established from unknown
-
- Posts: 9
- Joined: Sun Mar 24, 2019 1:52 pm
Re: Spam Anonymous TLS connection established from unknown
Port 7073 should not be accessible via the internet, if you really need to do any admin task then use a VPN then connect to port 7073 'locally'. For brute force attacks you should look at fail2ban (search the forums for details).
-
- Posts: 9
- Joined: Sun Mar 24, 2019 1:52 pm
Re: Spam Anonymous TLS connection established from unknown
Thanks, phoenix.
I follow this blog: https://www.missioncriticalemail.com/20 ... -together/
And I'm waiting for the result .
I follow this blog: https://www.missioncriticalemail.com/20 ... -together/
And I'm waiting for the result .
Re: Spam Anonymous TLS connection established from unknown
That's fine but what you're asking about is attempted connections to port 7073 - that is the admin port and should never be exposed on the internet. The only port(s) you need to expose are port 25 and any that are required for your user to get their email. all the rest should be blocked for your Zimbra server. I'd still suggest you look at fail2ban for a potential solution.
-
- Posts: 9
- Joined: Sun Mar 24, 2019 1:52 pm
Re: Spam Anonymous TLS connection established from unknown
Thanks, phoenix.
Yes, I did block all ports on my firewall, just open port 25, 465 and 587 to send and receive email. And when I netstat, I only see my zimbra IP, not any public IP else. So I'm very confused. Now I will install and config fail2ban on zimbra server.
Yes, I did block all ports on my firewall, just open port 25, 465 and 587 to send and receive email. And when I netstat, I only see my zimbra IP, not any public IP else. So I'm very confused. Now I will install and config fail2ban on zimbra server.
Re: Spam Anonymous TLS connection established from unknown
So am I by your comments. How can you be seeing a 'brute force attack' on your port 7073 if it's not exposed to the internet? Have you checked if there's any infected machines on your lo cal network? Have you also checked to see if your Zimbra server has been compromised (possibly by this viewtopic.php?f=15&t=65932)?hoangnguyen wrote:So I'm very confused.
-
- Posts: 9
- Joined: Sun Mar 24, 2019 1:52 pm
Re: Spam Anonymous TLS connection established from unknown
Hi phoenix,
I don't know how can they access the URL "https://mydomain:7073/...". I even use Nmap to scan my public IP, and there is nothing, except the opening ports (25,465,587).
I follow the link you give to me, use some commands to find the weird files, but I still get nothing. Everythings seem normal, except the zimbra.log.
I don't know how can they access the URL "https://mydomain:7073/...". I even use Nmap to scan my public IP, and there is nothing, except the opening ports (25,465,587).
I follow the link you give to me, use some commands to find the weird files, but I still get nothing. Everythings seem normal, except the zimbra.log.
Re: Spam Anonymous TLS connection established from unknown
Then I guess you have an infection somewhere on your LAN. Doesn't the output of your netstat command earlier show the 'local address' and the 'foreign address' to be a LAN IP address?
-
- Posts: 9
- Joined: Sun Mar 24, 2019 1:52 pm
Re: Spam Anonymous TLS connection established from unknown
Yes, I think so. I have to trace in my LAN. In the result of netstat command, there was only show zimbra server IP. So I think I have to scan my zimbra server, maybe using RKHunter tool.
Thanks, phoenix.
Thanks, phoenix.