Help - I m having an IMAP attack that fail2ban cant stop

[jasggomes]

Hi to all, a quick post.
I have a Zimbra 8.7.11 that is having an IMAP account attack that I'm being unable to stop so far ...
That attack is blocking all account affected due to the lockout policy.

I have implemented the fail2ban policy some time ago, but it seams that is not blocking anything, so please, can someone give me an hint how to stop this?

Regards.

JG

[stefaniu.criste]

Hello

can you post some log excerpts from /var/log/zimbra.log and /var/log/maillog ?
Delete all sensitive data (like email addresses) and leave just the errors.

[jasggomes]

Hello

can you post some log excerpts from /var/log/zimbra.log and /var/log/maillog ?
Delete all sensitive data (like email addresses) and leave just the errors.

Thanks for the quick reply.
Yes I can, but give me some time, I'm away from the office right now.

[jasggomes]

Hello

can you post some log excerpts from /var/log/zimbra.log and /var/log/maillog ?
Delete all sensitive data (like email addresses) and leave just the errors.

Hello, after almost 24 hrs trying to figure this out I m almost giving up ...

So here it is what I find out so far: IT's a long post, so be patient please.

- One of my users got his 'shitty' password guessed, yes I know, but management says it can't be 'too complex', these are mainly 'older' people and keep forgetting the passwords ... or something.

With that password and user valid, a spammer relayed mail thru our server during almost 24 hrs .
That attack was noticed due to the massive amount of NDRs returned, around one hour prior I wrote the above post asking for help.
I changed the user PWD, and even switched the PC.

So now the aftermath:

Server is getting blocked on some client emails servers, I'm on top of this, but I had to disable the auto-block for the user account, or it keeps getting blocked due to the attempts to login with that account.

What I have done:

I had installed fail2ban, a while ago, when I replaced a failed Zimbra 8.6 for this one 8.7, following what Tuts I could find around, but for some strange reason, nothing is working
.

My logs keeps showing me these lines:

auth.log
Sep 25 13:19:46 mail saslauthd[38048]: zmpost: url='https://mail.domain.com:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [leakeduser@domain.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1068934215-1378:1506341986638:03725463bc573f76</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Sep 25 13:19:46 mail saslauthd[38048]: auth_zimbra: leakeduser@domain.com auth failed: authentication failed for [leakeduser@domain.com]

zimbra.log
Sep 26 10:49:16 mail saslauthd[4785]: zmpost: url='https://mail.domain.com:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [leakeduser@domain.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1068934215-921:1506419356740:cf426e3bf7bd1405</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Sep 26 10:49:16 mail saslauthd[4785]: auth_zimbra: leakeduser@domain.com auth failed: authentication failed for [leakeduser@domain.com]
Sep 26 10:49:16 mail postfix/submission/smtpd[15801]: warning: unknown[193.165.237.27]: SASL LOGIN authentication failed: authentication failure

Fail2ban:

I only can find some hits using a filter called 'sasl.conf':

# Fail2Ban configuration file
## Author: Yaroslav Halchenko
#
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
#failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
#
#failregex = \[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[A-Za-z0-9+/ ]*)?$

## Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

result:

root@mail:/etc/fail2ban/filter.d# fail2ban-regex /var/log/zimbra.log sasl.conf -v

Failregex: 33 total
|- #) [# of hits] regular expression
| 1) [33] warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[A-Za-z0-9+/ ]*)?$
| 176.107.198.66 Tue Sep 26 09:54:21 2017
| 93.99.219.51 Tue Sep 26 09:54:34 2017
| 84.115.103.41 Tue Sep 26 09:54:49 2017

But there is no evidence of those IP's being blocked ....

root@mail:/etc/fail2ban/filter.d# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-Postfix
-N fail2ban-SASL-iptables
-N fail2ban-Zimbra-account
-N fail2ban-Zimbra-audit
-N fail2ban-Zimbra-recipient
-N fail2ban-sasl
-N fail2ban-ssh
-N fail2ban-ssh-ddos
-A INPUT -p tcp -j fail2ban-SASL-iptables
-A INPUT -p tcp -j fail2ban-Zimbra-recipient
-A INPUT -p tcp -j fail2ban-Zimbra-audit
-A INPUT -p tcp -j fail2ban-Zimbra-account
-A INPUT -p tcp -m multiport --dports 25,465,143,220,993,110,995,587,4190 -j fail2ban-sasl
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j fail2ban-Postfix
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-Postfix -j RETURN
-A fail2ban-SASL-iptables -j RETURN
-A fail2ban-Zimbra-account -j RETURN
-A fail2ban-Zimbra-audit -j RETURN
-A fail2ban-Zimbra-recipient -j RETURN
-A fail2ban-sasl -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN

my jail.local file:

#######################
# Zimbra Mail
########################
[zimbra-account]

enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-account]
logpath = /opt/zimbra/log/mailbox.log
bantime = -1
maxretry = 2

[zimbra-audit]

enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
logpath = /opt/zimbra/log/audit.log
bantime = -1
maxretry = 2

[zimbra-recipient]

enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-recipient]
logpath = /var/log/zimbra.log
findtime = 604800
bantime = -1
maxretry = 2

[postfix]

enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 2

[postfix-connections]

enabled = false
filter = postfix-connections
action = iptables[name=Postfix-Connections, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/mail.log
bantime = -1
ignoreip = 127.0.0.1

[sasl-iptables]

enabled = true
filter = sasl
action = iptables-allports[name=SASL-iptables]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 2

[sasl]

enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,submission,sieve
filter = sasl
logpath = /var/log/zimbra.log
bantime = 900
maxretry = 0

My zimbra.conf:

Fail2Ban configuration file
#
# Author:

[Definition]


#Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .*invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
\[ip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

#failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
# \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
# ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
# \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
# WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
# NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

#failregex =.*authentication failed for .* invalid password

#failregex = (.*)[ip=<HOST>;] (.*) protocol=imap; error=authentication failed for


# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Coclusion:

I'm missing something ... so can someone give me a hint/help/light ???

Thanks in advance.

JG

[stefaniu.criste]

Hello

I am using csf (https://www.configserver.com/) working OK on some other non-zimbra servers but running same postfix

== Uninstall fail2ban
== Install csf
== Edit the config file at /etc/csf/csf.conf and set the basic access rules (documentation is pretty straightforward
== continue editing and find CUSTOM1_LOG near the end; change it to:

Code: Select all

CUSTOM1_LOG = "/var/log/maillog"

== add the appropriate regex, by editing nano /usr/local/csf/bin/regex.custom.pm
between "Do not edit before this point" and "Do not edit beyond this point" put the code

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/submission\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
    return ("Failed SASL login from",$1,"mysaslmatch","3","25","3600");
}

Numbers mean: if 3 failed attempts on port 25 within 3600 secs, ban the IP


Note
Please check the regex (I am not that good) in order to fit your logs


Also, have you considered adding 2FA ?

[jasggomes]

Hello

I am using csf (https://www.configserver.com/) working OK on some other non-zimbra servers but running same postfix

Note
Please check the regex (I am not that good) in order to fit your logs


Also, have you considered adding 2FA ?

Hi Stefaniu, and thanks for your reply.

I ll give it a try, it doesn't hurt.
Its an FOSS edition, there is no 2fa on these versions.

Regards.

JG