Hello everyone,
my server problem exploits "brute force attack"
Hello everyone, I have been the victim of an attack on my server, my server does not publish the 7073 port, the attack seems to originate from the same server, i changed the password but there are continuous attempts to login. The server has been upgraded from zimbra 8.0.7 to the latest releases 8.7.7 and patches. I report under the log, please help me!!
[root@mail2 ~]# tail -f /opt/zimbra/log/audit.log
2017-05-20 15:39:35,874 WARN [qtp1286783232-979:https:https://mail2.servermail.com:7073/service/admin/soap/] [name=aranya_kha@servermail.com;ip=61.19.250.33;port=64051;] security - cmd=Auth; account=aranya_kha@servermail.com; protocol=soap; error=authentication failed for [aranya_kha@servermail.coom], account(or domain) status is locked;
[root@mail2 ~]# tail -f /opt/zimbra/log/mailbox.log
2017-05-20 15:42:25,954 INFO [qtp1286783232-814:https:https://mail2.servermail.com:7073/service/admin/soap/] [name=jittima_int@servermail.com;ip=61.19.250.33;port=64344;] soap - AuthRequest elap sed=0
2017-05-20 15:42:28,351 INFO [qtp1286783232-1009:https:https://mail2.servermail.com:7073/service/admin/soap/] [name=jittima_int@servermail.com;ip=61.19.250.33;port=64346;] SoapEngine - handler e xception: authentication failed for [jittima_int@servermail.com], account(or domain) status is locked
[root@mail2 ~]# tail -f /var/log/zimbra.log
May 20 15:48:31 mail2 saslauthd[24400]: auth_zimbra: aranya_kha@servermail.com auth failed: authentication failed for [aranya_kha@servermail.com]
May 20 15:48:31 mail2 saslauthd[24400]: do_auth : auth failure: [user=aranya_kha@servermail.com] [service=smtp] [realm=servermail.com] [mech=zimbra] [reason=Unknown]
May 20 15:48:31 mail2 postfix/submission/smtpd[17976]: warning: casablanca.mschosting.com[110.4.46.117]: SASL LOGIN authentication failed: authentication failure
May 20 15:48:31 mail2 postfix/submission/smtpd[17976]: disconnect from casablanca.mschosting.com[110.4.46.117] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
May 20 15:48:31 mail2 postfix/submission/smtpd[17976]: connect from casablanca.mschosting.com[110.4.46.117]
May 20 15:48:32 mail2 postfix/submission/smtpd[17976]: Anonymous TLS connection established from casablanca.mschosting.com[110.4.46.117]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
May 20 15:48:32 mail2 saslauthd[24401]: zmauth: authenticating against elected url 'https://mail2.servermail.com:7073/service/admin/soap/' ...
May 20 15:48:32 mail2 saslauthd[24401]: zmpost: url='https://mail2.servermail.com:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [aranya_kha@servermail.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1286783232-1046:1495270112319:31ede50f780394a9</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
thanks
Zimba Problem exploits "brute force attack"
-
- Elite member
- Posts: 1112
- Joined: Sat Sep 13, 2014 12:47 am
Re: Zimba Problem exploits "brute force attack"
The attempt is not from the same server. This is the log line that tells you where the attack is coming from
May 20 15:48:31 mail2 postfix/submission/smtpd[17976]: warning: casablanca.mschosting.com[110.4.46.117]: SASL LOGIN authentication failed: authentication failure
It shows that someone at IP address 110.4.46.117 is trying to use authenticated SMTP (Submission on port 465) from outside your network to send emails.
I suggest you use fail2ban (search of it in the forum/wiki) or some other method to restrict access to your server
May 20 15:48:31 mail2 postfix/submission/smtpd[17976]: warning: casablanca.mschosting.com[110.4.46.117]: SASL LOGIN authentication failed: authentication failure
It shows that someone at IP address 110.4.46.117 is trying to use authenticated SMTP (Submission on port 465) from outside your network to send emails.
I suggest you use fail2ban (search of it in the forum/wiki) or some other method to restrict access to your server
Re: Zimba Problem exploits "brute force attack"
after fail2ban install
iptables -L -n
Chain f2b-SSH (1 references)
target prot opt source destination
REJECT all -- 59.45.175.86 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 121.18.238.125 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 121.18.238.119 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 59.45.175.64 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 59.45.175.56 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 116.31.116.16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 182.100.67.76 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-postfix (1 references)
target prot opt source destination
REJECT all -- 212.129.30.113 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-zimbra-account (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-zimbra-audit (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-zimbra-recipient (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
iptables -L -n
Chain f2b-SSH (1 references)
target prot opt source destination
REJECT all -- 59.45.175.86 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 121.18.238.125 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 121.18.238.119 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 59.45.175.64 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 59.45.175.56 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 116.31.116.16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 182.100.67.76 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-postfix (1 references)
target prot opt source destination
REJECT all -- 212.129.30.113 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-zimbra-account (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-zimbra-audit (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-zimbra-recipient (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0