stefaniu.criste wrote:Hello
can you post some log excerpts from /var/log/zimbra.log and /var/log/maillog ?
Delete all sensitive data (like email addresses) and leave just the errors.
Hello, after almost 24 hrs trying to figure this out I m almost giving up ...
So here it is what I find out so far: IT's a long post, so be patient please.
- One of my users got his 'shitty' password guessed, yes I know, but management says it can't be 'too complex', these are mainly 'older' people and keep forgetting the passwords ... or something.
With that password and user valid, a spammer relayed mail thru our server during almost 24 hrs .
That attack was noticed due to the massive amount of NDRs returned, around one hour prior I wrote the above post asking for help.
I changed the user PWD, and even switched the PC.
So now the aftermath:
Server is getting blocked on some client emails servers, I'm on top of this, but I had to disable the auto-block for the user account, or it keeps getting blocked due to the attempts to login with that account.
What I have done:
I had installed fail2ban, a while ago, when I replaced a failed Zimbra 8.6 for this one 8.7, following what Tuts I could find around, but for some strange reason, nothing is working
.
My logs keeps showing me these lines:
auth.log
Sep 25 13:19:46 mail saslauthd[38048]: zmpost: url='
https://mail.domain.com:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="
http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [
leakeduser@domain.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1068934215-1378:1506341986638:03725463bc573f76</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Sep 25 13:19:46 mail saslauthd[38048]: auth_zimbra:
leakeduser@domain.com auth failed: authentication failed for [
leakeduser@domain.com]
zimbra.log
Sep 26 10:49:16 mail saslauthd[4785]: zmpost: url='
https://mail.domain.com:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="
http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [
leakeduser@domain.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1068934215-921:1506419356740:cf426e3bf7bd1405</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Sep 26 10:49:16 mail saslauthd[4785]: auth_zimbra:
leakeduser@domain.com auth failed: authentication failed for [
leakeduser@domain.com]
Sep 26 10:49:16 mail postfix/submission/smtpd[15801]: warning: unknown[193.165.237.27]: SASL LOGIN authentication failed: authentication failure
Fail2ban:
I only can find some hits using a filter called 'sasl.conf':
# Fail2Ban configuration file
## Author: Yaroslav Halchenko
#
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
#failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
#
#failregex = \[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[A-Za-z0-9+/ ]*)?$
## Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
result:
root@mail:/etc/fail2ban/filter.d# fail2ban-regex /var/log/zimbra.log sasl.conf -v
Failregex: 33 total
|- #) [# of hits] regular expression
| 1) [33] warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[A-Za-z0-9+/ ]*)?$
| 176.107.198.66 Tue Sep 26 09:54:21 2017
| 93.99.219.51 Tue Sep 26 09:54:34 2017
| 84.115.103.41 Tue Sep 26 09:54:49 2017
But there is no evidence of those IP's being blocked ....
root@mail:/etc/fail2ban/filter.d# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-Postfix
-N fail2ban-SASL-iptables
-N fail2ban-Zimbra-account
-N fail2ban-Zimbra-audit
-N fail2ban-Zimbra-recipient
-N fail2ban-sasl
-N fail2ban-ssh
-N fail2ban-ssh-ddos
-A INPUT -p tcp -j fail2ban-SASL-iptables
-A INPUT -p tcp -j fail2ban-Zimbra-recipient
-A INPUT -p tcp -j fail2ban-Zimbra-audit
-A INPUT -p tcp -j fail2ban-Zimbra-account
-A INPUT -p tcp -m multiport --dports 25,465,143,220,993,110,995,587,4190 -j fail2ban-sasl
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j fail2ban-Postfix
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-Postfix -j RETURN
-A fail2ban-SASL-iptables -j RETURN
-A fail2ban-Zimbra-account -j RETURN
-A fail2ban-Zimbra-audit -j RETURN
-A fail2ban-Zimbra-recipient -j RETURN
-A fail2ban-sasl -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN
my jail.local file:
#######################
# Zimbra Mail
########################
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-account]
logpath = /opt/zimbra/log/mailbox.log
bantime = -1
maxretry = 2
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
logpath = /opt/zimbra/log/audit.log
bantime = -1
maxretry = 2
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-recipient]
logpath = /var/log/zimbra.log
findtime = 604800
bantime = -1
maxretry = 2
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 2
[postfix-connections]
enabled = false
filter = postfix-connections
action = iptables[name=Postfix-Connections, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/mail.log
bantime = -1
ignoreip = 127.0.0.1
[sasl-iptables]
enabled = true
filter = sasl
action = iptables-allports[name=SASL-iptables]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 2
[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,submission,sieve
filter = sasl
logpath = /var/log/zimbra.log
bantime = 900
maxretry = 0
My zimbra.conf:
Fail2Ban configuration file
#
# Author:
[Definition]
#Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .*invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
\[ip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:
#failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
# \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
# ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
# \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
# WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
# NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:
#failregex =.*authentication failed for .* invalid password
#failregex = (.*)[ip=<HOST>;] (.*) protocol=imap; error=authentication failed for
# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Coclusion:
I'm missing something ... so can someone give me a hint/help/light ???
Thanks in advance.
JG