Hi to all, a quick post.
I have a Zimbra 8.7.11 that is having an IMAP account attack that I'm being unable to stop so far ...
That attack is blocking all account affected due to the lockout policy.
I have implemented the fail2ban policy some time ago, but it seams that is not blocking anything, so please, can someone give me an hint how to stop this?
Regards.
JG
Help - I m having an IMAP attack that fail2ban cant stop
- stefaniu.criste
- Posts: 41
- Joined: Wed Feb 12, 2014 5:40 am
- Location: Romania
- ZCS/ZD Version: 8.8.8_GA_1728 20180614052922 201806
- Contact:
Re: Help - I m having an IMAP attack that fail2ban cant stop
Hello
can you post some log excerpts from /var/log/zimbra.log and /var/log/maillog ?
Delete all sensitive data (like email addresses) and leave just the errors.
can you post some log excerpts from /var/log/zimbra.log and /var/log/maillog ?
Delete all sensitive data (like email addresses) and leave just the errors.
Stefaniu Criste - managing partner
Hangar Hosting - a safe place for your business
proudly delivering Zimbra services in Romania
Hangar Hosting - a safe place for your business
proudly delivering Zimbra services in Romania
- jasggomes
- Advanced member
- Posts: 90
- Joined: Sat Sep 13, 2014 12:59 am
- Location: Lisbon, PT
- ZCS/ZD Version: Release 8.7.11.GA.1854.UBUNTU14.64
- Contact:
Re: Help - I m having an IMAP attack that fail2ban cant stop
Thanks for the quick reply.stefaniu.criste wrote:Hello
can you post some log excerpts from /var/log/zimbra.log and /var/log/maillog ?
Delete all sensitive data (like email addresses) and leave just the errors.
Yes I can, but give me some time, I'm away from the office right now.
- jasggomes
- Advanced member
- Posts: 90
- Joined: Sat Sep 13, 2014 12:59 am
- Location: Lisbon, PT
- ZCS/ZD Version: Release 8.7.11.GA.1854.UBUNTU14.64
- Contact:
Re: Help - I m having an IMAP attack that fail2ban cant stop
Hello, after almost 24 hrs trying to figure this out I m almost giving up ...stefaniu.criste wrote:Hello
can you post some log excerpts from /var/log/zimbra.log and /var/log/maillog ?
Delete all sensitive data (like email addresses) and leave just the errors.
So here it is what I find out so far: IT's a long post, so be patient please.
- One of my users got his 'shitty' password guessed, yes I know, but management says it can't be 'too complex', these are mainly 'older' people and keep forgetting the passwords ... or something.
With that password and user valid, a spammer relayed mail thru our server during almost 24 hrs .
That attack was noticed due to the massive amount of NDRs returned, around one hour prior I wrote the above post asking for help.
I changed the user PWD, and even switched the PC.
So now the aftermath:
Server is getting blocked on some client emails servers, I'm on top of this, but I had to disable the auto-block for the user account, or it keeps getting blocked due to the attempts to login with that account.
What I have done:
I had installed fail2ban, a while ago, when I replaced a failed Zimbra 8.6 for this one 8.7, following what Tuts I could find around, but for some strange reason, nothing is working
.
My logs keeps showing me these lines:
auth.log
Sep 25 13:19:46 mail saslauthd[38048]: zmpost: url='https://mail.domain.com:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [leakeduser@domain.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1068934215-1378:1506341986638:03725463bc573f76</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Sep 25 13:19:46 mail saslauthd[38048]: auth_zimbra: leakeduser@domain.com auth failed: authentication failed for [leakeduser@domain.com]
zimbra.log
Sep 26 10:49:16 mail saslauthd[4785]: zmpost: url='https://mail.domain.com:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [leakeduser@domain.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1068934215-921:1506419356740:cf426e3bf7bd1405</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Sep 26 10:49:16 mail saslauthd[4785]: auth_zimbra: leakeduser@domain.com auth failed: authentication failed for [leakeduser@domain.com]
Sep 26 10:49:16 mail postfix/submission/smtpd[15801]: warning: unknown[193.165.237.27]: SASL LOGIN authentication failed: authentication failure
Fail2ban:
I only can find some hits using a filter called 'sasl.conf':
# Fail2Ban configuration file
## Author: Yaroslav Halchenko
#
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
#failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
#
#failregex = \[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[A-Za-z0-9+/ ]*)?$
## Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
result:
root@mail:/etc/fail2ban/filter.d# fail2ban-regex /var/log/zimbra.log sasl.conf -v
Failregex: 33 total
|- #) [# of hits] regular expression
| 1) [33] warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[A-Za-z0-9+/ ]*)?$
| 176.107.198.66 Tue Sep 26 09:54:21 2017
| 93.99.219.51 Tue Sep 26 09:54:34 2017
| 84.115.103.41 Tue Sep 26 09:54:49 2017
But there is no evidence of those IP's being blocked ....
root@mail:/etc/fail2ban/filter.d# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-Postfix
-N fail2ban-SASL-iptables
-N fail2ban-Zimbra-account
-N fail2ban-Zimbra-audit
-N fail2ban-Zimbra-recipient
-N fail2ban-sasl
-N fail2ban-ssh
-N fail2ban-ssh-ddos
-A INPUT -p tcp -j fail2ban-SASL-iptables
-A INPUT -p tcp -j fail2ban-Zimbra-recipient
-A INPUT -p tcp -j fail2ban-Zimbra-audit
-A INPUT -p tcp -j fail2ban-Zimbra-account
-A INPUT -p tcp -m multiport --dports 25,465,143,220,993,110,995,587,4190 -j fail2ban-sasl
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j fail2ban-Postfix
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-Postfix -j RETURN
-A fail2ban-SASL-iptables -j RETURN
-A fail2ban-Zimbra-account -j RETURN
-A fail2ban-Zimbra-audit -j RETURN
-A fail2ban-Zimbra-recipient -j RETURN
-A fail2ban-sasl -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN
my jail.local file:
#######################
# Zimbra Mail
########################
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-account]
logpath = /opt/zimbra/log/mailbox.log
bantime = -1
maxretry = 2
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
logpath = /opt/zimbra/log/audit.log
bantime = -1
maxretry = 2
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-recipient]
logpath = /var/log/zimbra.log
findtime = 604800
bantime = -1
maxretry = 2
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 2
[postfix-connections]
enabled = false
filter = postfix-connections
action = iptables[name=Postfix-Connections, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/mail.log
bantime = -1
ignoreip = 127.0.0.1
[sasl-iptables]
enabled = true
filter = sasl
action = iptables-allports[name=SASL-iptables]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 2
[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,submission,sieve
filter = sasl
logpath = /var/log/zimbra.log
bantime = 900
maxretry = 0
My zimbra.conf:
Fail2Ban configuration file
#
# Author:
[Definition]
#Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .*invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
\[ip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:
#failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
# \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
# ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
# \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
# WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
# NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:
#failregex =.*authentication failed for .* invalid password
#failregex = (.*)[ip=<HOST>;] (.*) protocol=imap; error=authentication failed for
# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Coclusion:
I'm missing something ... so can someone give me a hint/help/light ???
Thanks in advance.
JG
- stefaniu.criste
- Posts: 41
- Joined: Wed Feb 12, 2014 5:40 am
- Location: Romania
- ZCS/ZD Version: 8.8.8_GA_1728 20180614052922 201806
- Contact:
Re: Help - I m having an IMAP attack that fail2ban cant stop
Hello
I am using csf (https://www.configserver.com/) working OK on some other non-zimbra servers but running same postfix
== Uninstall fail2ban
== Install csf
== Edit the config file at /etc/csf/csf.conf and set the basic access rules (documentation is pretty straightforward
== continue editing and find CUSTOM1_LOG near the end; change it to:
== add the appropriate regex, by editing nano /usr/local/csf/bin/regex.custom.pm
between "Do not edit before this point" and "Do not edit beyond this point" put the code
Numbers mean: if 3 failed attempts on port 25 within 3600 secs, ban the IP
Note
Please check the regex (I am not that good) in order to fit your logs
Also, have you considered adding 2FA ?
I am using csf (https://www.configserver.com/) working OK on some other non-zimbra servers but running same postfix
== Uninstall fail2ban
== Install csf
== Edit the config file at /etc/csf/csf.conf and set the basic access rules (documentation is pretty straightforward
== continue editing and find CUSTOM1_LOG near the end; change it to:
Code: Select all
CUSTOM1_LOG = "/var/log/maillog"
between "Do not edit before this point" and "Do not edit beyond this point" put the code
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/submission\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","3","25","3600");
}
Note
Please check the regex (I am not that good) in order to fit your logs
Also, have you considered adding 2FA ?
Stefaniu Criste - managing partner
Hangar Hosting - a safe place for your business
proudly delivering Zimbra services in Romania
Hangar Hosting - a safe place for your business
proudly delivering Zimbra services in Romania
- jasggomes
- Advanced member
- Posts: 90
- Joined: Sat Sep 13, 2014 12:59 am
- Location: Lisbon, PT
- ZCS/ZD Version: Release 8.7.11.GA.1854.UBUNTU14.64
- Contact:
Re: Help - I m having an IMAP attack that fail2ban cant stop
Hi Stefaniu, and thanks for your reply.stefaniu.criste wrote:Hello
I am using csf (https://www.configserver.com/) working OK on some other non-zimbra servers but running same postfix
Note
Please check the regex (I am not that good) in order to fit your logs
Also, have you considered adding 2FA ?
I ll give it a try, it doesn't hurt.
Its an FOSS edition, there is no 2fa on these versions.
Regards.
JG