I managed to print real IP disabling Outbound NAT rule generation in pfsense.
Thank you guys!
Search found 10 matches
- Wed Oct 17, 2018 7:20 pm
- Forum: Administrators
- Topic: reveal IP connection source from bruteforce authentication attempt
- Replies: 13
- Views: 5333
- Tue Oct 16, 2018 9:22 am
- Forum: Administrators
- Topic: reveal IP connection source from bruteforce authentication attempt
- Replies: 13
- Views: 5333
Re: reveal IP connection source from bruteforce authentication attempt
Yes I need it , because all machines are virtualized. I have two public IPs one for the web server and one for the mail server. the third public IP is for the firewall... resuming the NAT configuration: I access to the firewall with a public IP, then there are 2 rules (NAT 1:1) External IP Internal ...
- Mon Oct 15, 2018 7:20 pm
- Forum: Administrators
- Topic: reveal IP connection source from bruteforce authentication attempt
- Replies: 13
- Views: 5333
Re: reveal IP connection source from bruteforce authentication attempt
Hey Lance, I did what you suggested.. rebooted both machines but nothing changed, i have always the firewall IP in the logs... I can see in pfsense this weird stuff in logs. Time IF Source Destination Oct 15 21:18 WAN [fe80::6eb2:aeff:fe01:8841] [ff02::66]:2029
- Mon Oct 15, 2018 7:32 am
- Forum: Administrators
- Topic: reveal IP connection source from bruteforce authentication attempt
- Replies: 13
- Views: 5333
Re: reveal IP connection source from bruteforce authentication attempt
Hi Lance,
ehm... it' empty, no rules in Port Fowarding.
The firewall rules are the following:
Reject everything execpt
80 (HTTP)
443 (HTTPS)
143 (IMAP)
993 (IMAP/S)
110 (POP3)
995 (POP3/S)
25 (SMTP)
465 (SMTP/S)
587 (SUBMISSION)
ehm... it' empty, no rules in Port Fowarding.
The firewall rules are the following:
Reject everything execpt
80 (HTTP)
443 (HTTPS)
143 (IMAP)
993 (IMAP/S)
110 (POP3)
995 (POP3/S)
25 (SMTP)
465 (SMTP/S)
587 (SUBMISSION)
- Sun Oct 14, 2018 6:58 pm
- Forum: Administrators
- Topic: reveal IP connection source from bruteforce authentication attempt
- Replies: 13
- Views: 5333
Re: reveal IP connection source from bruteforce authentication attempt
I know that fail2ban should fix this issue. In fact I need to reveal which IP is doing the bruteforce and ban it. Unfortunately the Zimbra log and mail log doesn't give me this information, and fail2ban rely on it. Maybe could be a DNS configuration. But in order to work behind a firewall Zimbra mus...
- Sun Oct 14, 2018 5:12 pm
- Forum: Administrators
- Topic: reveal IP connection source from bruteforce authentication attempt
- Replies: 13
- Views: 5333
Re: reveal IP connection source from bruteforce authentication attempt
Hi Mark, thank you for your reply. The zimbra version is 8.6. I am not running on proxy. The mail server is behind a firewall The firewall is a PFsense machine x.x.x.1 Zimbra is on another machine x.x.x.12 On PFsense there is a NAT 1:1 to translate te public IP to the zimbra server. I added the loca...
- Sat Oct 13, 2018 3:15 pm
- Forum: Administrators
- Topic: reveal IP connection source from bruteforce authentication attempt
- Replies: 13
- Views: 5333
reveal IP connection source from bruteforce authentication attempt
Hello I have Zimbra behind pfsense and the public IP is Natted to the the internal IP. SplitDNS is set as well. So the firewall is on 172.0.1.1 and the mail server on the same LAN. I see a lot of authentication failure in the zimbra log and it says that the connection comes from ... the firewall... ...
- Tue Oct 02, 2018 7:23 pm
- Forum: Administrators
- Topic: zimbra server is sending email without my authorization.
- Replies: 4
- Views: 12129
continuing intrusion attempt
Hello there, on my zimbra log I see every 5 second an intrusion attempt Oct 2 21:18:07 mail saslauthd[3839]: zmauth: authenticating against elected url 'https://mail.mydomain.xxx:7071/service/admin/soap/' ... Oct 2 21:18:07 mail saslauthd[3839]: zmpost: url='https://mail.mydomain.xxx:7071/service/ad...
- Thu Sep 27, 2018 5:42 pm
- Forum: Administrators
- Topic: zimbra server is sending email without my authorization.
- Replies: 4
- Views: 12129
Re: zimbra server is sending email without my authorization.
Thank for the reply.
i don't think is a phishing because no one got email, in fact the first thing i did was change the password of all account.
Now i create a policy to restrict only domain of the server to send email, but i am going to delete the account info
i don't think is a phishing because no one got email, in fact the first thing i did was change the password of all account.
Now i create a policy to restrict only domain of the server to send email, but i am going to delete the account info
- Thu Sep 27, 2018 11:06 am
- Forum: Administrators
- Topic: zimbra server is sending email without my authorization.
- Replies: 4
- Views: 12129
zimbra server is sending email without my authorization.
Hello there, i Have a zimbra server 8.0.6. The info@ accout is receiving continuos email like this: Undelivered Mail Returned to Sender This is the mail system at host mail.mydomain.xxx I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached ...