DoS Filter and IMAP / POP3

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
xmana
Posts: 12
Joined: Tue Mar 21, 2017 12:58 pm

DoS Filter and IMAP / POP3

Post by xmana »

Good day!

There was a problem, I do not know in which direction to dig, tell me, who knows ...

First, a little configuration:

Code: Select all

[zimbra@mail ~]$ zmcontrol -v
Release 8.8.11_GA_3737.RHEL6_64_20181207111719 RHEL6_64 FOSS edition, Patch 8.8.11_P1.

Code: Select all

[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterDelayMillis
zimbraHttpDosFilterDelayMillis: -1
[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterMaxRequestsPerSec
zimbraHttpDosFilterMaxRequestsPerSec: 30

Code: Select all

[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 4320
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterMaxFailedLogin
zimbraInvalidLoginFilterMaxFailedLogin: 3
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 3
The situation is as follows.
With this configuration, ip addresses that fall under the current DoS Filter settings are blocked. But only those addresses that are seen in brute force through the web interface are locked ....
All other unsuccessful authentications are ignored (POP3, IMAP etc.)

A few examples (cat mailbox.log | grep ...):

lock on brute force via the web (in this case, everything is fine):

Code: Select all

2019-01-22 18:15:43,341 INFO  [qtp1286783232-137:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=70194024;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:15:43,341 INFO  [qtp1286783232-137:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=70194024;] soap - AuthRequest elapsed=9
2019-01-22 18:16:11,091 INFO  [qtp1286783232-182:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940a1;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:16:11,091 INFO  [qtp1286783232-182:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940a1;] soap - AuthRequest elapsed=7
2019-01-22 18:16:36,000 INFO  [qtp1286783232-201:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940d5;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:16:36,000 INFO  [qtp1286783232-201:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940d5;] soap - AuthRequest elapsed=5
2019-01-22 18:17:07,672 INFO  [qtp1286783232-216:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940f4;] SoapEngine - handler exception: authentication failed for [user1@domain.com], invalid password
2019-01-22 18:17:07,673 INFO  [qtp1286783232-216:http://localhost:8080/service/soap/AuthRequest] [name=user1@domain.com;oip=178.133.40.218;ua=zclient/8.8.11_GA_3737;soapId=701940f4;] soap - AuthRequest elapsed=4
2019-01-22 18:17:22,648 INFO  [qtp1286783232-392:http://localhost:8080/service/soap/AuthRequest] [] misc - Access from IP 178.133.40.218 suspended, for repeated failed login.
2019-01-22 18:17:26,728 INFO  [qtp1286783232-182:http://localhost:8080/service/soap/AuthRequest] [] misc - Access from IP 178.133.40.218 suspended, for repeated failed login.
brute force through the client (IMAP) - DoS Filter does not work:

Code: Select all

2019-01-22 17:57:43,536 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=11;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 17:58:00,336 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=12;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 17:58:14,972 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=13;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 17:58:31,515 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=14;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 18:01:18,442 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=21;] imap - authentication failed for [user2@domain.com] (invalid password)
2019-01-22 18:01:39,658 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=23;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:43,915 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=24;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:48,225 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=25;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:50,482 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=26;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:52,865 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=27;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:55,387 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=28;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:01:58,690 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=29;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:02:03,841 INFO  [ImapSSLServer-2] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=30;] imap - authentication failed for [user2@domain.com] (account lockout)
2019-01-22 18:03:11,301 INFO  [ImapSSLServer-0] [ip=gray_ip_mail_server_address;oip=46.211.27.136;via=com.android.email,gray_ip_mail_server_address(nginx/1.7.1);ua=Zimbra/8.8.11_GA_3737;cid=31;] imap - authentication failed for [user2@domain.com] (account lockout)
the same with the POP3

Tell me, how can this be fixed?

thn'x
Laragio
Posts: 16
Joined: Fri Oct 17, 2014 2:43 am

Re: DoS Filter and IMAP / POP3

Post by Laragio »

Hi,
I have the same problem. I can't get the DoS filter work for IMAP/POP3 neither for the web.

Any help?
--
Laragio
awsgnalla
Posts: 7
Joined: Thu Jun 11, 2020 4:25 am

Re: DoS Filter and IMAP / POP3

Post by awsgnalla »

Hi,

I got the same problem of not seeing any suspended IP's when testing the Zimbra DoS Filter if it indeed really works.
I followed the configurations values in this blog post:
https://www.missioncriticalemail.com/20 ... -together/

cat ~/log/mailbox.log | grep "suspended, for repeated failed login." This doesn't show any IP's suspended after testing failed authentication of an active
account via webmail and mail client.
[zimbra@mail ~]$ cat ~/log/mailbox.log | grep "suspended, for repeated failed login."
[zimbra@mail ~]$

Any insight or help is very much appreciated.

Thanks,

Gio
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: DoS Filter and IMAP / POP3

Post by L. Mark Stone »

awsgnalla wrote:Hi,

I got the same problem of not seeing any suspended IP's when testing the Zimbra DoS Filter if it indeed really works.
I followed the configurations values in this blog post:
https://www.missioncriticalemail.com/20 ... -together/

cat ~/log/mailbox.log | grep "suspended, for repeated failed login." This doesn't show any IP's suspended after testing failed authentication of an active
account via webmail and mail client.
[zimbra@mail ~]$ cat ~/log/mailbox.log | grep "suspended, for repeated failed login."
[zimbra@mail ~]$

Any insight or help is very much appreciated.

Thanks,

Gio
Post up your settings and happy to take a look!
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
awsgnalla
Posts: 7
Joined: Thu Jun 11, 2020 4:25 am

Re: DoS Filter and IMAP / POP3

Post by awsgnalla »

Hi Mark,


Thank you for your response.
Here are the settings:

[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterMaxRequestsPerSec
zimbraHttpDosFilterMaxRequestsPerSec: 100
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 30
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterMaxFailedLogin
zimbraInvalidLoginFilterMaxFailedLogin: 10
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 5
[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterDelayMillis
zimbraHttpDosFilterDelayMillis: 20

Class of Service > > Advanced > Failed Login Policy :

https://www.screencast.com/t/dxhPRecZP

Thanks,

Gio
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: DoS Filter and IMAP / POP3

Post by L. Mark Stone »

awsgnalla wrote:Hi Mark,


Thank you for your response.
Here are the settings:

[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterMaxRequestsPerSec
zimbraHttpDosFilterMaxRequestsPerSec: 100
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 30
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterMaxFailedLogin
zimbraInvalidLoginFilterMaxFailedLogin: 10
[zimbra@mail ~]$ zmprov gcf zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 5
[zimbra@mail ~]$ zmprov gcf zimbraHttpDosFilterDelayMillis
zimbraHttpDosFilterDelayMillis: 20

Class of Service > > Advanced > Failed Login Policy :

https://www.screencast.com/t/dxhPRecZP

Thanks,

Gio
Hi Gio,

Those settings look fine, except zimbraHttpDosFilterMaxRequestsPerSec, which I would recommend setting to 250. Otherwise you may get some errors when using the Admin Console.

To confirm operation, I would create a test account, and then take your laptop to the parking lot of a store so you can use their wireless. Make repeated bad tries logging in, until the account is locked out or your IP is blocked. Then, tether your phone to your laptop (or come back home) to change your IP address, log in to the Admin Console, see if the test account is locked out, and ssh in to the server and look in mailbox.log for the DoSFilter entries.

The trick is you want to block an IP before you lock out the mailbox, so maybe set zimbraInvalidLoginFilterMaxFailedLogin a little lower, to like 5 or similar. It should be less than what you have for your failed lockout policy.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
awsgnalla
Posts: 7
Joined: Thu Jun 11, 2020 4:25 am

Re: DoS Filter and IMAP / POP3

Post by awsgnalla »

Hello Mark,


I 've changed zimbraHttpDosFilterMaxRequestsPerSec settings to 250. I've tested this on our test Zimbra mailserver instead of the live environment.
It's still not blocking/suspending IP's when making bad tries login.


$ cat ~/log/mailbox.log | grep "authentication failed"
3737;soapId=473535ab;] SoapEngine - handler exception: authentication failed for [aws@domain.com, invalid password
2020-08-09 16:40:33,921 INFO [qtp1286783232-156:http://localhost:8080/service/soap/AuthRequest] [name=aws@domain.com;oip=180.235.133.70;ua=zclient/8.8.11_GA_3737;soapId=473535ad;] SoapEngine - handler exception: authentication failed for [aws@domain.com, invalid password
2020-08-09 16:40:37,594 INFO [qtp1286783232-159:http://localhost:8080/service/soap/AuthRequest] [name=aws@domain.com;oip=180.235.133.70;ua=zclient/8.8.11_GA_3737;soapId=473535af;] SoapEngine - handler exception: authentication failed for [aws@domain.com, invalid password
2020-08-09 16:40:40,262 INFO [qtp1286783232-19:http://localhost:8080/service/soap/AuthRequest] [name=aws@domain.com;oip=180.235.133.70;ua=zclient/8.8.11_GA_3737;soapId=473535b1;] SoapEngine - handler exception: authentication failed for [aws@domain.com, account lockout

$ cat ~/log/mailbox.log | grep "suspended, for repeated failed login."


Any insight or help is very much appreciated.

Thanks,

Gio
pasco
Posts: 27
Joined: Fri Sep 12, 2014 11:34 pm

Re: DoS Filter and IMAP / POP3

Post by pasco »

Any solutions yet? I have the same problem.

Nothing with

cat ~/log/mailbox.log | grep "suspended, for repeated failed login."

but a bunch of entries with

cat ~/log/mailbox.log | grep "authentication failed"

like this one:
d3546b;] SoapEngine - handler exception: authentication failed for [tecnico@mail.example.com], account not found
2021-04-13 12:32:26,103 INFO [qtp66233253-248:https:https://mail.example.com:7073/service/admin/soap/] [ip=<Zimbra IP>;port=50606;soapId=17
Post Reply