Some clarifications about DoS Filter: block IPs after a number of failed login attempts

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
opsystem
Posts: 33
Joined: Mon Nov 20, 2017 6:32 pm

Some clarifications about DoS Filter: block IPs after a number of failed login attempts

Post by opsystem »

Hello all,

I’m dealing with some brute force attacks on our 8.6 installation and I was trying to activate the IP auto-ban feature of the DoS filter, as the documentation says:

“Starting in ZCS 8.5, you can block IPs for a period of time after a number of failed login attempts”

Now I can’t really find detailed info about this, so I’m asking here a few questions, hoping that someone has a good knowledge about it:

1. Is this a fail2ban-like implementation? If not, how does it work? Does it involve iptables rules?

2. Where can I find the banned IP list? How do I delete an IP from it?

3. How can I check if the protection is running? I’m currently looking at mailbox.log and Zimbra.log, all the soap / https / sasl services are being flooded with failed logins, but no IPs are being blocked, although it seems to me that all settings are correct:

Code: Select all

zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 360
zimbraInvalidLoginFilterMaxFailedLogin: 3
zimbraInvalidLoginFilterMaxSizeOfFailedIpDb: 7000
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 30
4. Is this feature limited to mailbox service (http / soap)? Or does it work for SMTP / submissions too?

Thanks a lot
Gabriele
Top
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:
Contact pup_seba

Re: Some clarifications about DoS Filter: block IPs after a number of failed login attempts

Post by pup_seba »

Hi,

As far as I understand...and please understand that I might be wrong, this is how it goes:

1. Is this a fail2ban-like implementation? If not, how does it work? Does it involve iptables rules?
--> No, it is not a fail2ban-like implementation. It works at an application level and it does not involve iptables or any other firewall rules.

2. Where can I find the banned IP list? How do I delete an IP from it?
--> I'm not aware of any "list". You could either grep your logs for the word "suspended" to see the suspended IPs as they try to login again. Or you could try to use this Zimbra-Elastic integration to have a nice looking dashboard. https://github.com/Zimbra-Community/zimbra-elasticstack
Only way to delete an IP from it is to restart the mailbox service or just wait until it is auto-released.

3. How can I check if the protection is running? I’m currently looking at mailbox.log and Zimbra.log, all the soap / https / sasl services are being flooded with failed logins, but no IPs are being blocked, although it seems to me that all settings are correct:
--> If mailbox is running, this should be running too. You could test it (try to bruteforce from one ip) and grep the logs for the "suspended" word I told you. I think the whole phrase goes like "suspended for repeted logins"...or similar. Start from "suspended" and refine the parsing afterwards.

4. Is this feature limited to mailbox service (http / soap)? Or does it work for SMTP / submissions too?
--> Good question. idk the answer tho, sorry. If I had to gess, as long as some authentication needs to happen, it will count the "failed login attempt", but I did not test this...

Mark Stone wrote an article that at least imho, is always good to have around: http://www.missioncriticalemail.com/author/lmstone/
Top
User avatar
opsystem
Posts: 33
Joined: Mon Nov 20, 2017 6:32 pm

Re: Some clarifications about DoS Filter: block IPs after a number of failed login attempts

Post by opsystem »

Hello pup_seba, thank you so much for taking time to answer my questions!

Yes, I already read Mark Stone’s article, that’s one of the sources I based my config on.

I’ve no “suspended” entries in my logs so I suppose that something is wrong with my server.

I’ll try to dig deeper, although I hope that some dev will give us more information, I find the documentation surprisingly poor for such a vital (at least to me) feature.
Top
User avatar
opsystem
Posts: 33
Joined: Mon Nov 20, 2017 6:32 pm

Re: Some clarifications about DoS Filter: block IPs after a number of failed login attempts

Post by opsystem »

Ok here is a brief recap after furhter analysis:

1. As pup_seba said, the feature only prevent an IP from logging into a mailbox. The offending IPs can still reach the server.

2+3. I still can’t found where banned IPs are cached. I can confirm that filtering mailbox log for “Access to IP xxx.xxx.xxx.xxxsuspended, for repeated failed login” returns the banned IPs and their attempts (a.k.a. protection is running)

4. Now the sad part. The blocking feature works at mailbox level only i.e. on web GUI. It’s not effective against failed logins at submission / SMTP level. Why? Because the mailbox service, which is responsible for SOAP auth, will never see the originating IP of SASL/postfix request, instead the requests come form localhost as source (this is my case with no proxy installed). Maybe this could be different for higher Zimbra versions or with a Proxy installed + zimbraMailTrustedIP configured, but I can’t test this.

Anyway, I’ll go for fail2ban. If anyone has additional informations on this topic, feel free to add it here.
Thanks again
Top
Post Reply

Return to “Administrators”