Brute force attack & SPAM configuration
-
- Posts: 30
- Joined: Fri Apr 15, 2016 2:54 pm
- ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201
Brute force attack & SPAM configuration
Hi, I'm new to Zimbra but I had to manage a group of server using:
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
and
Release 8.0.5_GA_5839.RHEL6_64_20130910123908 RHEL6_64 FOSS edition.
I'm in trouble understandig the actual zimbra configuration (I found the server screaming under a landslade of SPAM and brute force...so...I'm in some troubled water ).
First problem: I see a lot of brute force attack using different user name against Server_public_ip:7071/service/admin/soap/ from...
Server_public_ip...
2016-04-15 16:56:10,611 WARN [qtp34688703-884:https://Server_public_ip:7071/service/admin/soap/] [name=user@domain.net;ip=Server_public_ip;] security - cmd=Auth; account=user@domain.net; protocol=soap; error=authentication failed for [mailbox63827@domain.net], invalid password;
access to Server_public_ip:7071/ is blocked from outside network
I've googled a lot and done this steps and restarted zimbra:
zmlocalconfig zimbra_http_originating_ip_header
zimbra_http_originating_ip_header = X-Forwarded-For
zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP Server_public_ip
Nothing changed .
I've searched a lot in bugzilla and zimbra forum it seems to be a old solved problem, I've made the suggested change but nothing happend.
Is this issue solved in some recent patch? Do you have some useful reference? Do you need other information?
Second: Is zimbra filtering spam?? I think the answer is NO, but I want to share my config on 8.6 machine:
#zmlocalconfig |grep -i spam
antispam_backup_retention = 0
antispam_enable_restarts = false
antispam_enable_rule_compilation = false
antispam_enable_rule_updates = false
antispam_mysql_data_directory = ${zimbra_home}/data/amavisd/mysql/data
antispam_mysql_directory = ${zimbra_home}/mta/mariadb
antispam_mysql_enabled = false
antispam_mysql_errlogfile = ${zimbra_home}/log/antispam-mysqld.log
antispam_mysql_host = 127.0.0.1
antispam_mysql_mycnf = ${zimbra_home}/conf/antispam-my.cnf
antispam_mysql_password = *
antispam_mysql_pidfile = ${zimbra_home}/data/amavisd/mysql/mysql.pid
antispam_mysql_port = 7308
antispam_mysql_root_password = *
antispam_mysql_socket = ${zimbra_home}/data/amavisd/mysql/mysql.sock
antispam_mysql_user = zimbra
zimbra_spam_report_queue_size = 100
/opt/zimbra/log/spamtrain.log is empty.
Zimbra is using Spammassasin or dspam?
antispam_mysql_enabled = false So zimbra is using a berkley db?
Using the zimbra administrator graphic interfece it seem all to be ok (antispam antivirus...)...but I don't belive it.
Any help is really appreciated.
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
and
Release 8.0.5_GA_5839.RHEL6_64_20130910123908 RHEL6_64 FOSS edition.
I'm in trouble understandig the actual zimbra configuration (I found the server screaming under a landslade of SPAM and brute force...so...I'm in some troubled water ).
First problem: I see a lot of brute force attack using different user name against Server_public_ip:7071/service/admin/soap/ from...
Server_public_ip...
2016-04-15 16:56:10,611 WARN [qtp34688703-884:https://Server_public_ip:7071/service/admin/soap/] [name=user@domain.net;ip=Server_public_ip;] security - cmd=Auth; account=user@domain.net; protocol=soap; error=authentication failed for [mailbox63827@domain.net], invalid password;
access to Server_public_ip:7071/ is blocked from outside network
I've googled a lot and done this steps and restarted zimbra:
zmlocalconfig zimbra_http_originating_ip_header
zimbra_http_originating_ip_header = X-Forwarded-For
zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP Server_public_ip
Nothing changed .
I've searched a lot in bugzilla and zimbra forum it seems to be a old solved problem, I've made the suggested change but nothing happend.
Is this issue solved in some recent patch? Do you have some useful reference? Do you need other information?
Second: Is zimbra filtering spam?? I think the answer is NO, but I want to share my config on 8.6 machine:
#zmlocalconfig |grep -i spam
antispam_backup_retention = 0
antispam_enable_restarts = false
antispam_enable_rule_compilation = false
antispam_enable_rule_updates = false
antispam_mysql_data_directory = ${zimbra_home}/data/amavisd/mysql/data
antispam_mysql_directory = ${zimbra_home}/mta/mariadb
antispam_mysql_enabled = false
antispam_mysql_errlogfile = ${zimbra_home}/log/antispam-mysqld.log
antispam_mysql_host = 127.0.0.1
antispam_mysql_mycnf = ${zimbra_home}/conf/antispam-my.cnf
antispam_mysql_password = *
antispam_mysql_pidfile = ${zimbra_home}/data/amavisd/mysql/mysql.pid
antispam_mysql_port = 7308
antispam_mysql_root_password = *
antispam_mysql_socket = ${zimbra_home}/data/amavisd/mysql/mysql.sock
antispam_mysql_user = zimbra
zimbra_spam_report_queue_size = 100
/opt/zimbra/log/spamtrain.log is empty.
Zimbra is using Spammassasin or dspam?
antispam_mysql_enabled = false So zimbra is using a berkley db?
Using the zimbra administrator graphic interfece it seem all to be ok (antispam antivirus...)...but I don't belive it.
Any help is really appreciated.
Last edited by TitusI on Fri Apr 22, 2016 10:21 am, edited 1 time in total.
Re: Brute force attack
When someone connects to postfix to auth, it generates a SOAP auth request. So what is likely happening is someone is trying to brute force against postfix. If you use something like fail2ban to block IP addresses slamming postfix, your SOAP calls should go away. I.e., you're attempting to tackle the wrong problem.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
-
- Posts: 30
- Joined: Fri Apr 15, 2016 2:54 pm
- ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201
Re: Brute force attack
I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.
How can I understand if my zimbra is using DSPAM or Spammassasin or all together?
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.
How can I understand if my zimbra is using DSPAM or Spammassasin or all together?
Re: Brute force attack
Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.TitusI wrote:I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.
How can I understand if my zimbra is using DSPAM or Spammassasin or all together?
I hope this explanation help.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
-
- Posts: 30
- Joined: Fri Apr 15, 2016 2:54 pm
- ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201
Re: Brute force attack
Yes, it help a lot understanding the problem, but I pass to file2ban audit.log in which the reported ip is the one for 7071...(my server public ip) not the client of connection on 465/578quanah wrote:Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.TitusI wrote:I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.
How can I understand if my zimbra is using DSPAM or Spammassasin or all together?
I hope this explanation help.
Regards,
Quanah
2016-04-15 16:56:10,611 WARN [qtp34688703-884:https://Server_public_ip:7071/service/admin/soap/] [name=user@domain.net;ip=Server_public_ip;] security - cmd=Auth; account=user@domain.net; protocol=soap; error=authentication failed for [mailbox63827@domain.net], invalid password;
Where I had to look in my log there for connection on 465/578?
Thank you!
-
- Posts: 4
- Joined: Mon Apr 18, 2016 9:14 am
Re: Brute force attack
Hello.
You should check postfix's log files (usually /var/log/mail)
You should check postfix's log files (usually /var/log/mail)
-
- Posts: 30
- Joined: Fri Apr 15, 2016 2:54 pm
- ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201
Re: Brute force attack
Hi
my fail2ban jail indicate for postfix:
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=mymail@me]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5
in zimbra.log i've a lot of hti->error='' for access to :7071/service/admin/soap/
Thank you, I don't have var/log/mail I've /var/log/maillog. I use the standard zimbra log /opt/zimbra/audit.log mailbox.log and /var/log/zimbra.loghoriachirculescu wrote:Hello.
You should check postfix's log files (usually /var/log/mail)
my fail2ban jail indicate for postfix:
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=mymail@me]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5
in zimbra.log i've a lot of hti->error='' for access to :7071/service/admin/soap/
-
- Posts: 4
- Joined: Mon Apr 18, 2016 9:14 am
Re: Brute force attack
You should block the acces to the admin console port (specified by zimbraAdminBindAddress - default 7071) to permit access from only trusted networks. You can change the firewall rules on your security gateway or you can use a firewall on your mail server(s) (ex. iptables on linux boxes)
-
- Posts: 30
- Joined: Fri Apr 15, 2016 2:54 pm
- ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201
Re: Brute force attack
Access to the admin port is allready locked.horiachirculescu wrote:You should block the acces to the admin console port (specified by zimbraAdminBindAddress - default 7071) to permit access from only trusted networks. You can change the firewall rules on your security gateway or you can use a firewall on your mail server(s) (ex. iptables on linux boxes)
My problem is my lack of knowledge on zimbra logic, I think that there is a logging problem (wrong host shown in audit.log) and two configuration problem, fail2ban is not working correctly and antispam is not working too (a lot of spam pass).
Any help in CHECK (i could be wrong) and solve this issue is appreciated.
-
- Posts: 30
- Joined: Fri Apr 15, 2016 2:54 pm
- ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL7_64_201
Re: Brute force attack
Following your suggestion on other thread and reading the suggested resource I've mitigated the SPAM problem:quanah wrote:Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.TitusI wrote:I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.
How can I understand if my zimbra is using DSPAM or Spammassasin or all together?
I hope this explanation help.
Regards,
Quanah
test:
zmlocalconfig antispam_enable_rule_updates
RES:antispam_enable_rule_updates = false
zmlocalconfig antispam_enable_restarts
RES:antispam_enable_restarts = false
Setting:
zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmlocalconfig -e antispam_enable_rule_compilation=true
zmamavisdctl restart
zmmtactl restart
But I would like to kno who is doing the job? DSPAM or Spammassassin?
ps aux|grep -i spam
gave 0 output