Brute force agains Web Service

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
mrgreiner
Posts: 23
Joined: Sat Sep 13, 2014 2:56 am

Brute force agains Web Service

Post by mrgreiner »

Hi,

I know this has been asked before, but I haven't seen a good answer yet.

I have a ZCS 8.7 (fully patched) install on Centos 6.10, including zmauditswatch and fail2ban. My logs are also sent to a central syslog server, where they are analyzed by OSSEC.

My problem is that someone collected a number of valid email addresses (probably on a web page, some mail list we had or whatever) and keeps brute forcing them against the webserver (https, not smtp). This way, some accounts keep getting blocked with some frequency. Fail2ban is useless in this case, since the logs of the webserver only show the IP of the server itself. Example:

Jul 28 10:10:26 200.145.62.17 saslauthd[4374]: do_auth : auth failure: [user=<user>@<domain>] [service=smtp] [realm=<domain>] [mech=zimbra] [reason=Unknown]
Jul 28 10:10:26 200.145.62.17 saslauthd[4374]: auth_zimbra: <user>@<domain> auth failed: authentication failed for [<user>@<domain>]
Jul 28 10:10:26 200.145.62.17 saslauthd[4365]: do_auth : auth failure: [user=<user>@<domain>] [service=smtp] [realm=<domain>] [mech=zimbra] [reason=Unknown]
Jul 28 10:10:26 200.145.62.17 saslauthd[4365]: auth_zimbra: <user>@<domain> auth failed: authentication failed for [<user>@<domain>]
Jul 28 10:10:26 200.145.62.17 saslauthd[4365]: zmpost: url='https://<domain>:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [<user>@<domain>]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp2036958521-9288:1595941826170:91f2778a2cca4d47</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''

I would like to provide fail2ban the IP form where those attempts are coming, but nowhere do I get the information to find that out. How do I block these? I'm getting a lot of those attempts, and sooner or later it will get some entry right, and my server will (probably) be used for spam :-(
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Brute force agains Web Service

Post by L. Mark Stone »

Sounds like you are not configured to log the originating IP address.

https://wiki.zimbra.com/wiki/Log_Files# ... inating_IP

...and if you are interested:
https://www.missioncriticalemail.com/20 ... sion-only/
https://www.missioncriticalemail.com/20 ... -together/

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
mrgreiner
Posts: 23
Joined: Sat Sep 13, 2014 2:56 am

Re: Brute force agains Web Service

Post by mrgreiner »

It worked.

The IP addresses are showing in the logs, as explained in the page. Now I will work in tuning fail2ban to properly use that information.

Tks.

Roberto
Post Reply