Zimba Problem exploits "brute force attack"

meeinter · Post by **meeinter** » Sat May 20, 2017 8:51 am

Hello everyone,

my server problem exploits "brute force attack"

Hello everyone, I have been the victim of an attack on my server, my server does not publish the 7073 port, the attack seems to originate from the same server, i changed the password but there are continuous attempts to login. The server has been upgraded from zimbra 8.0.7 to the latest releases 8.7.7 and patches. I report under the log, please help me!!

[root@mail2 ~]# tail -f /opt/zimbra/log/audit.log
2017-05-20 15:39:35,874 WARN [qtp1286783232-979:https:https://mail2.servermail.com:7073/service/admin/soap/] [name=aranya_kha@servermail.com;ip=61.19.250.33;port=64051;] security - cmd=Auth; account=aranya_kha@servermail.com; protocol=soap; error=authentication failed for [aranya_kha@servermail.coom], account(or domain) status is locked;

[root@mail2 ~]# tail -f /opt/zimbra/log/mailbox.log
2017-05-20 15:42:25,954 INFO [qtp1286783232-814:https:https://mail2.servermail.com:7073/service/admin/soap/] [name=jittima_int@servermail.com;ip=61.19.250.33;port=64344;] soap - AuthRequest elap sed=0

2017-05-20 15:42:28,351 INFO [qtp1286783232-1009:https:https://mail2.servermail.com:7073/service/admin/soap/] [name=jittima_int@servermail.com;ip=61.19.250.33;port=64346;] SoapEngine - handler e xception: authentication failed for [jittima_int@servermail.com], account(or domain) status is locked

[root@mail2 ~]# tail -f /var/log/zimbra.log

May 20 15:48:31 mail2 saslauthd[24400]: auth_zimbra: aranya_kha@servermail.com auth failed: authentication failed for [aranya_kha@servermail.com]
May 20 15:48:31 mail2 saslauthd[24400]: do_auth : auth failure: [user=aranya_kha@servermail.com] [service=smtp] [realm=servermail.com] [mech=zimbra] [reason=Unknown]
May 20 15:48:31 mail2 postfix/submission/smtpd[17976]: warning: casablanca.mschosting.com[110.4.46.117]: SASL LOGIN authentication failed: authentication failure
May 20 15:48:31 mail2 postfix/submission/smtpd[17976]: disconnect from casablanca.mschosting.com[110.4.46.117] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
May 20 15:48:31 mail2 postfix/submission/smtpd[17976]: connect from casablanca.mschosting.com[110.4.46.117]
May 20 15:48:32 mail2 postfix/submission/smtpd[17976]: Anonymous TLS connection established from casablanca.mschosting.com[110.4.46.117]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
May 20 15:48:32 mail2 saslauthd[24401]: zmauth: authenticating against elected url 'https://mail2.servermail.com:7073/service/admin/soap/' ...
May 20 15:48:32 mail2 saslauthd[24401]: zmpost: url='https://mail2.servermail.com:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [aranya_kha@servermail.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1286783232-1046:1495270112319:31ede50f780394a9</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''

thanks

liverpoolfcfan · Post by **liverpoolfcfan** » Mon May 22, 2017 10:35 am

The attempt is not from the same server. This is the log line that tells you where the attack is coming from

May 20 15:48:31 mail2 postfix/submission/smtpd[17976]: warning: casablanca.mschosting.com[110.4.46.117]: SASL LOGIN authentication failed: authentication failure

It shows that someone at IP address 110.4.46.117 is trying to use authenticated SMTP (Submission on port 465) from outside your network to send emails.

I suggest you use fail2ban (search of it in the forum/wiki) or some other method to restrict access to your server

meeinter · Post by **meeinter** » Fri May 26, 2017 2:35 am

after fail2ban install

iptables -L -n

Chain f2b-SSH (1 references)
target prot opt source destination
REJECT all -- 59.45.175.86 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 121.18.238.125 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 121.18.238.119 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 59.45.175.64 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 59.45.175.56 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 116.31.116.16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 182.100.67.76 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain f2b-postfix (1 references)
target prot opt source destination
REJECT all -- 212.129.30.113 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain f2b-zimbra-account (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain f2b-zimbra-audit (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain f2b-zimbra-recipient (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Zimbra Forums

Zimba Problem exploits "brute force attack"

Zimba Problem exploits "brute force attack"

Re: Zimba Problem exploits "brute force attack"

Re: Zimba Problem exploits "brute force attack"