Blocking SASL logins?

[zim_mike]

I see this in the logs, 24/7, obviously spammers trying to get into our zimbra 8.8.11 servers, I guess doing some kind of dictionary attack.
Is SASL related to POPS and/or IMAPS which are all that we really allow? We only have a handful of accounts on the server, mainly for outgoing mail, notifications from a service we offer.

If SASL is not related, can it be disabled and is it worth doing so since this is the only non stop attempt that I see in the logs.

Code: Select all

Jun 10 15:28:01 mx postfix/smtps/smtpd[1353]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:01 mx postfix/smtps/smtpd[1353]: warning: unknown[80.149.41.197]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:04 mx postfix/smtps/smtpd[1353]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:04 mx postfix/smtps/smtpd[1353]: warning: unknown[80.149.41.197]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:14 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:14 mx postfix/smtps/smtpd[1357]: warning: unknown[113.172.116.1]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:31 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:31 mx postfix/smtps/smtpd[1357]: warning: unknown[14.164.186.241]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:33 mx postfix/smtps/smtpd[1842]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:33 mx postfix/smtps/smtpd[1842]: warning: mx-ll-183.89.215-245.dynamic.3bb.co.th[183.89.215.245]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:35 mx postfix/smtps/smtpd[1290]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:35 mx postfix/smtps/smtpd[1290]: warning: unknown[14.164.186.241]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:28:44 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed
Jun 10 15:28:44 mx postfix/smtps/smtpd[1357]: warning: mx-ll-183.89.215-245.dynamic.3bb.co.th[183.89.215.245]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:29:09 mx postfix/smtps/smtpd[1842]: warning: SASL authentication failure: Password verification failed
Jun 10 15:29:09 mx postfix/smtps/smtpd[1842]: warning: unknown[220.156.174.161]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:29:12 mx postfix/smtps/smtpd[1290]: warning: SASL authentication failure: Password verification failed
Jun 10 15:29:12 mx postfix/smtps/smtpd[1290]: warning: node-5qw.pool-1-2.dynamic.totinternet.net[1.2.157.24]: SASL PLAIN authentication failed: authentication failure
Jun 10 15:29:16 mx postfix/smtps/smtpd[1357]: warning: SASL authentication failure: Password verification failed
Jun 10 15:29:16 mx postfix/smtps/smtpd[1357]: warning: node-5qw.pool-1-2.dynamic.totinternet.net[1.2.157.24]: SASL PLAIN authentication failed: authentication failure

[stefaniu.criste]

Hello

we are using csf (configserver.com) as local firewall.
Zimbra is running on CentOS 6 (yes mom, we know EOL is near)

Please follow the firewall's documentation in order to properly install it.
TEST before, not to lock tourself out!

1) edit /etc/csf/csf.conf and set the following constant (it is almost at the end of configuration file)

Code: Select all

CUSTOM2_LOG = "/var/log/maillog"

2) edit /usr/local/csf/bin/regex.custom.pm and somewhere before the line that states "# Do not edit beyond this point" add

Code: Select all

# log SASL auth
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtps\/smtpd\[\d+\]: warning:.*\[($
    return ("Failed SASL login from",$1,"mysaslmatch","2","25,465,587","1");
}

Restart csf with

Code: Select all

csf -r

Restart lfd with

Code: Select all

service lfd restart

or, if you have CentOS 7+

Code: Select all

systemctl restart lfd

[DualBoot]

Do not disable SASL auth unless you do not want your users to send mail with their mail client.
In your case, I think Fail2Ban could be your best friend

Regards,

[zim_mike]

The local firewall is firewalld so I would need more information on what it is that I'm trying to block in order to look up how to do that.

Can you give me a breakdown of what this is going. I can see it's watching the log for the warnings I posted and seems to be checking ports 25,465 and 587.
The rest is not clear. What is it looking for in terms of too many attempts in what time period, 2 minutes?

# log SASL auth
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtps\/smtpd\[\d+\]: warning:.*\[($
return ("Failed SASL login from",$1,"mysaslmatch","2","25,465,587","1");


I've read many posts from folks trying fail2ban but many say it doesn't seem to work.

We only have a handful of accounts, the server is mostly used for outgoing notifications for a service that members sign up to.
However, the few people we do have use mail clients on different devices.

I don't want to limit the road warriors but then again, they can easily call in if they get locked out and we have control of the server to get them back in.

[L. Mark Stone]

SASL is used by IMAP/POP clients to send email on port 587 after authenticating with their Zimbra credentials.

I just did a blog post, albeit for Ubuntu's UFW, that shows how to implement fail2ban to block bad actors trying to brute force accounts using this vector.

You'll need to use your own settings for firewalld, but the regex for finding failed SASL logins will work for you.

https://www.missioncriticalemail.com/20 ... sion-only/

Hope that helps,
Mark

[stefaniu.criste]

First of all, I must apologize for the previous post.
I have pasted an incomplete rule (trimmed by nano editor)
The correct rule is this:

Code: Select all

# log SASL auth
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtps\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL LOGIN authentication failed/)) {
    return ("Failed SASL login from",$1,"mysaslmatch","2","25,465,587","1");
}

Moving on, here are some answers:

The local firewall is firewalld so I would need more information on what it is that I'm trying to block in order to look up how to do that.

The configuration and above rule works only for csf firewall, not firewalld. I also like firewalld, but csf suits better for my needs.

Can you give me a breakdown of what this is going. I can see it's watching the log for the warnings I posted and seems to be checking ports 25,465 and 587.
The rest is not clear. What is it looking for in terms of too many attempts in what time period, 2 minutes?

There is an explained sample in the regex.custom.pm file.

Code: Select all

# Example:
#       if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
#               return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
#       }
#
# The return values from this example are as follows:
#
# "Failed myftpmatch login from" = text for custom failure message
# $1 = the offending IP address
# "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces
# "5" = the trigger level for blocking
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled

In the example rule, after 5 failed attempts within the general defined period (period it is set in /etc/csf/csf.conf, usually 1 hour), attacker will be blocked permanently on ports 20 and 21.

[zim_mike]

Thanks for all the help. I think I am going to install fail2ban working with firewalld.
The only thing that's confusing is someone mentioned ports 20 and 21 which are not in use anywhere so not sure what this is about.
Also, it's not clear what I'll block because as someone pointed out, SASL is part of pop and imap as well so I guess those ports will be monitored.

[zim_mike]

Thanks for the blog article. I bet plenty of people would appreciate the same using firewalld.

[DualBoot]

Block all except and monitor :
- 25 (SMTP, SMTP with auth)
- 587 (Submission)
- 22 (if need to access your server from the outside world, better use VPN or allow identified IP with private key)
- 110 (POP)
- 995 (POPS)
- 143 (IMAP)
- 993 (IMAPS)
- 80 (HTTP)
- 443 (HTTPS)
That should be enough

Regards

[L. Mark Stone]

Thanks for the blog article. I bet plenty of people would appreciate the same using firewalld.

Thanks Mike,

FWIW Fail2ban also ships with several firewalld action files in /etc/fail2ban/action.d and the firewalld documentation (https://firewalld.org/documentation/how ... rvice.html) shows how to add a custom service (zimbra-submission).

It looks like the process in my blog for firewalld is the same; the only difference is the method to create the custom submission service with firewalld.

Hope that helps,
Mark