Hi,
I appear to be locked out of the admin account, I have changed the password but still seem to be logged out... any idea's ?
Admin account lockout
-
- Advanced member
- Posts: 111
- Joined: Thu Aug 02, 2018 4:24 pm
Re: Admin account lockout
That should never happen of it's own accord. There were reports of multiple admin accounts being created by one of the most recent versions of the 'hack', have you checked if your server might be compromised? I'm assuming you only have one admin account that you created (or the initial ZCS install)?
-
- Advanced member
- Posts: 111
- Joined: Thu Aug 02, 2018 4:24 pm
Re: Admin account lockout
Hi,
looks like a brute force attempt, I increased the password security and unlocked the account, there is only one admin account but two other groupcaladmin@ accounts...
I am on
Release 8.8.9_GA_2055.RHEL7_64_20180703080917 RHEL7_64 FOSS edition, Patch 8.8.9_P10.
Server has not been compromised and all good.
I have fail2ban enabled and specifically set up for Zimbra auth attempts and also have all firewall ports disabled apart from the essentials...
looks like a brute force attempt, I increased the password security and unlocked the account, there is only one admin account but two other groupcaladmin@ accounts...
I am on
Release 8.8.9_GA_2055.RHEL7_64_20180703080917 RHEL7_64 FOSS edition, Patch 8.8.9_P10.
Server has not been compromised and all good.
I have fail2ban enabled and specifically set up for Zimbra auth attempts and also have all firewall ports disabled apart from the essentials...
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Admin account lockout
The bad actors know Zimbra sets the default admin account as “admin@...” and will brute force it all day long.
The trick is either to create a global admin account that is named something a little cryptic, or, you can configure DoSFilter to block the bad actor’s IP address before your password lockout policy kicks in. (You can also do both...)
Hope that helps,
Mark
The trick is either to create a global admin account that is named something a little cryptic, or, you can configure DoSFilter to block the bad actor’s IP address before your password lockout policy kicks in. (You can also do both...)
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate