authenticating against elected url / fail2ban / just DDOS / bruteforce / or some security breach?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
mcdaniels
Posts: 32
Joined: Thu Aug 03, 2023 4:42 pm

authenticating against elected url / fail2ban / just DDOS / bruteforce / or some security breach?

Post by mcdaniels »

Hi folks,
I read quite a lot (also the forum entries) about the "authenticating against elected url..." entry in /var/log/zimbra.log

I put this in here to give some infos about using fail2ban on the issue. (hoping and assuming this is no security problem in zimbra itself). Perhaps someone can tell me if my assessments are right. :D

For me it is looking like:

Code: Select all

Aug 18 10:18:14 mailer postfix/smtps/smtpd[4110403]: connect from unknown[122.187.230.130]
Aug 18 10:18:16 mailer postfix/smtps/smtpd[4110403]: Anonymous TLS connection [b]established from unknown[122.187.230.130][/b]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 18 10:18:19 mailer /postfix-script[4114576]: the Postfix mail system is running: PID: 4111
Aug 18 10:18:20 mailer saslauthd[4003]: zmauth: authenticating against elected url 'https://mailer.it-yourself.at:7073/service/admin/soap/' ...
Aug 18 10:18:20 mailer saslauthd[4003]: zmpost: url='https://mailer.it-yourself.at:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [hello@napleted.org]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp758013696-3604:1692346700888:7ff75c93427686ab</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Aug 18 10:18:20 mailer saslauthd[4003]: auth_zimbra: hello@napleted.org auth failed: authentication failed for [hello@napleted.org]
Aug 18 10:18:20 mailer saslauthd[4003]:                 : auth failure: [user=hello@napleted.org] [service=smtp] [realm=napleted.org] [mech=zimbra] [reason=Unknown]
Aug 18 10:18:20 mailer postfix/smtps/smtpd[4110403]: [b]warning: unknown[122.187.230.130]: SASL LOGIN authentication failed: authentication failure[/b]
Aug 18 10:18:26 mailer postfix/smtps/smtpd[4114754]: [b]connect from unknown[77.39.107.92][/b]
Aug 18 10:18:27 mailer postfix/smtps/smtpd[4114754]: Anonymous TLS connection established [b]from unknown[77.39.107.92][/b]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 18 10:18:31 mailer saslauthd[4004]: zmauth: authenticating against elected url 'https://mailer.it-yourself.at:7073/service/admin/soap/' ...
Aug 18 10:18:31 mailer saslauthd[4004]: zmpost: url='https://mailer.it-yourself.at:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [hello]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp758013696-3605:1692346711226:7ff75c93427686ab</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Aug 18 10:18:31 mailer saslauthd[4004]: auth_zimbra: hello auth failed: authentication failed for [hello]
Aug 18 10:18:31 mailer saslauthd[4004]:                 : auth failure: [user=hello] [service=smtp] [realm=] [mech=zimbra] [reason=Unknown]

So if I get it right, someone is trying to use SMTPS to send Emails via my server. This triggers the internal sasl-auth on port 7073, but is not successful, cause of user-authentification and giving the wrong password. This game goes on and on.

FAIL2BAN

Having fail2ban in place, is doing its job, banning those ips.

jail.local (relevant section)

Code: Select all

[zimbra-submission]
enabled = true
filter = zimbra-submission
logpath = /var/log/zimbra.log
maxretry = 1
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-submission, port="25,465,587", protocol=tcp]

[zimbra-webmail]
enabled = true
filter = zimbra-webmail
logpath = /opt/zimbra/log/mailbox.log
maxretry = 1
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-webmail, port="80,443", protocol=tcp]

[zimbra-admin]
enabled = true
filter = zimbra-admin
logpath = /opt/zimbra/log/mailbox.log
maxretry = 1
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-admin, port="7071", protocol=tcp]

[postfix-ddos]
enabled = true
filter = postfix[mode=ddos]
logpath = %(postfix_log)s
backend = %(postfix_backend)s
findtime = 1200
maxretry = 1
bantime = -1
The authentication-actions above (in the log) trigger the postfix-ddos filter. I had to reduce the maxretry to 1, cause there are so many IPs coming in and do not repeat very often. Otherwise fail2ban just detects the failed attempt but does not block it.

Fail2ban is happily blocking now....

Code: Select all

2023-08-18 10:09:30,052 fail2ban.filter         [4101844]: INFO    [zimbra-submission] Found 210.66.77.5 - 2023-08-18 10:09:30
2023-08-18 10:09:30,273 fail2ban.filter         [4101844]: INFO    [zimbra-webmail] Found 210.66.77.5 - 2023-08-18 10:09:30
2023-08-18 10:09:30,275 fail2ban.filter         [4101844]: INFO    [zimbra-admin] Found 210.66.77.5 - 2023-08-18 10:09:30
2023-08-18 10:09:30,314 fail2ban.actions        [4101844]: NOTICE  [zimbra-admin] Ban 210.66.77.5
2023-08-18 10:09:30,314 fail2ban.actions        [4101844]: NOTICE  [zimbra-webmail] Ban 210.66.77.5
2023-08-18 10:09:30,320 fail2ban.actions        [4101844]: NOTICE  [zimbra-submission] Ban 210.66.77.5
2023-08-18 10:09:46,723 fail2ban.filter         [4101844]: INFO    [zimbra-admin] Found 111.202.91.243 - 2023-08-18 10:09:46
2023-08-18 10:09:46,725 fail2ban.filter         [4101844]: INFO    [zimbra-webmail] Found 111.202.91.243 - 2023-08-18 10:09:46
2023-08-18 10:09:46,727 fail2ban.filter         [4101844]: INFO    [zimbra-submission] Found 111.202.91.243 - 2023-08-18 10:09:46
2023-08-18 10:09:46,996 fail2ban.actions        [4101844]: NOTICE  [zimbra-admin] Ban 111.202.91.243
2023-08-18 10:09:47,001 fail2ban.actions        [4101844]: NOTICE  [zimbra-webmail] Ban 111.202.91.243
2023-08-18 10:09:47,007 fail2ban.actions        [4101844]: NOTICE  [zimbra-submission] Ban 111.202.91.243
2023-08-18 10:12:50,220 fail2ban.filter         [4101844]: INFO    [zimbra-webmail] Found 95.165.142.8 - 2023-08-18 10:12:50
2023-08-18 10:12:50,221 fail2ban.filter         [4101844]: INFO    [zimbra-admin] Found 95.165.142.8 - 2023-08-18 10:12:50
2023-08-18 10:12:50,226 fail2ban.filter         [4101844]: INFO    [zimbra-submission] Found 95.165.142.8 - 2023-08-18 10:12:50
2023-08-18 10:12:50,463 fail2ban.actions        [4101844]: NOTICE  [zimbra-webmail] Ban 95.165.142.8
2023-08-18 10:12:50,467 fail2ban.actions        [4101844]: NOTICE  [zimbra-submission] Ban 95.165.142.8
2023-08-18 10:12:50,468 fail2ban.actions        [4101844]: NOTICE  [zimbra-admin] Ban 95.165.142.8
2023-08-18 10:13:05,418 fail2ban.filter         [4101844]: INFO    [postfix-ddos] Found 221.151.110.86 - 2023-08-18 10:13:05
2023-08-18 10:13:05,422 fail2ban.actions        [4101844]: NOTICE  [postfix-ddos] Ban 221.151.110.86
2023-08-18 10:13:13,782 fail2ban.filter         [4101844]: INFO    [zimbra-webmail] Found 50.127.177.194 - 2023-08-18 10:13:13
2023-08-18 10:13:13,783 fail2ban.filter         [4101844]: INFO    [zimbra-admin] Found 50.127.177.194 - 2023-08-18 10:13:13
2023-08-18 10:13:13,785 fail2ban.filter         [4101844]: INFO    [zimbra-submission] Found 50.127.177.194 - 2023-08-18 10:13:13
2023-08-18 10:13:14,509 fail2ban.actions        [4101844]: NOTICE  [zimbra-webmail] Ban 50.127.177.194
2023-08-18 10:13:14,520 fail2ban.actions        [4101844]: NOTICE  [zimbra-admin] Ban 50.127.177.194
2023-08-18 10:13:14,531 fail2ban.actions        [4101844]: NOTICE  [zimbra-submission] Ban 50.127.177.194
2023-08-18 10:13:14,578 fail2ban.filter         [4101844]: INFO    [postfix-ddos] Found 50.127.177.194 - 2023-08-18 10:13:14
2023-08-18 10:13:14,648 fail2ban.actions        [4101844]: NOTICE  [postfix-ddos] Ban 50.127.177.194
2023-08-18 10:18:20,891 fail2ban.filter         [4101844]: INFO    [zimbra-webmail] Found 122.187.230.130 - 2023-08-18 10:18:20
2023-08-18 10:18:20,891 fail2ban.filter         [4101844]: INFO    [zimbra-admin] Found 122.187.230.130 - 2023-08-18 10:18:20
2023-08-18 10:18:20,894 fail2ban.filter         [4101844]: INFO    [zimbra-submission] Found 122.187.230.130 - 2023-08-18 10:18:20
2023-08-18 10:18:20,921 fail2ban.actions        [4101844]: NOTICE  [zimbra-webmail] Ban 122.187.230.130
2023-08-18 10:18:20,929 fail2ban.actions        [4101844]: NOTICE  [zimbra-submission] Ban 122.187.230.130
2023-08-18 10:18:20,930 fail2ban.actions        [4101844]: NOTICE  [zimbra-admin] Ban 122.187.230.130
2023-08-18 10:18:31,226 fail2ban.filter         [4101844]: INFO    [zimbra-webmail] Found 77.39.107.92 - 2023-08-18 10:18:31
2023-08-18 10:18:31,228 fail2ban.filter         [4101844]: INFO    [zimbra-admin] Found 77.39.107.92 - 2023-08-18 10:18:31
2023-08-18 10:18:31,230 fail2ban.filter         [4101844]: INFO    [zimbra-submission] Found 77.39.107.92 - 2023-08-18 10:18:31
2023-08-18 10:18:31,559 fail2ban.actions        [4101844]: NOTICE  [zimbra-submission] Ban 77.39.107.92
2023-08-18 10:18:31,564 fail2ban.actions        [4101844]: NOTICE  [zimbra-webmail] Ban 77.39.107.92
2023-08-18 10:18:31,581 fail2ban.actions        [4101844]: NOTICE  [zimbra-admin] Ban 77.39.107.92
2023-08-18 10:26:45,845 fail2ban.filter         [4101844]: INFO    [postfix-ddos] Found 167.248.133.35 - 2023-08-18 10:26:45
2023-08-18 10:26:45,908 fail2ban.actions        [4101844]: NOTICE  [postfix-ddos] Ban 167.248.133.35
2023-08-18 10:30:06,609 fail2ban.filter         [4101844]: INFO    [zimbra-webmail] Found 121.202.205.41 - 2023-08-18 10:30:06
2023-08-18 10:30:06,610 fail2ban.filter         [4101844]: INFO    [zimbra-admin] Found 121.202.205.41 - 2023-08-18 10:30:06
2023-08-18 10:30:06,637 fail2ban.filter         [4101844]: INFO    [zimbra-submission] Found 121.202.205.41 - 2023-08-18 10:30:06
2023-08-18 10:30:06,676 fail2ban.actions        [4101844]: NOTICE  [zimbra-submission] Ban 121.202.205.41
2023-08-18 10:30:06,678 fail2ban.actions        [4101844]: NOTICE  [zimbra-webmail] Ban 121.202.205.41
2023-08-18 10:30:06,736 fail2ban.actions        [4101844]: NOTICE  [zimbra-admin] Ban 121.202.205.41
2023-08-18 10:30:28,969 fail2ban.filter         [4101844]: INFO    [postfix-ddos] Found 61.178.231.102 - 2023-08-18 10:30:28
2023-08-18 10:30:29,419 fail2ban.actions        [4101844]: NOTICE  [postfix-ddos] Ban 61.178.231.102
2023-08-18 10:30:46,097 fail2ban.filter         [4101844]: INFO    [zimbra-admin] Found 119.198.92.115 - 2023-08-18 10:30:45
2023-08-18 10:30:46,097 fail2ban.filter         [4101844]: INFO    [zimbra-webmail] Found 119.198.92.115 - 2023-08-18 10:30:45
2023-08-18 10:30:46,121 fail2ban.filter         [4101844]: INFO    [zimbra-submission] Found 119.198.92.115 - 2023-08-18 10:30:45
2023-08-18 10:30:46,790 fail2ban.actions        [4101844]: NOTICE  [zimbra-submission] Ban 119.198.92.115
2023-08-18 10:30:46,797 fail2ban.actions        [4101844]: NOTICE  [zimbra-webmail] Ban 119.198.92.115
2023-08-18 10:30:46,817 fail2ban.actions        [4101844]: NOTICE  [zimbra-admin] Ban 119.198.92.115
2023-08-18 10:30:46,827 fail2ban.filter         [4101844]: INFO    [postfix-ddos] Found 119.198.92.115 - 2023-08-18 10:30:46
2023-08-18 10:30:47,457 fail2ban.actions        [4101844]: NOTICE  [postfix-ddos] Ban 119.198.92.115
2023-08-18 10:33:36,609 fail2ban.filter         [4101844]: INFO    [zimbra-submission] Found 200.85.234.156 - 2023-08-18 10:33:36
2023-08-18 10:33:36,885 fail2ban.filter         [4101844]: INFO    [zimbra-webmail] Found 200.85.234.156 - 2023-08-18 10:33:36
2023-08-18 10:33:36,886 fail2ban.filter         [4101844]: INFO    [zimbra-admin] Found 200.85.234.156 - 2023-08-18 10:33:36
2023-08-18 10:33:37,031 fail2ban.actions        [4101844]: NOTICE  [zimbra-submission] Ban 200.85.234.156
2023-08-18 10:33:37,031 fail2ban.actions        [4101844]: NOTICE  [zimbra-webmail] Ban 200.85.234.156
2023-08-18 10:33:37,045 fail2ban.actions        [4101844]: NOTICE  [zimbra-admin] Ban 200.85.234.156
2023-08-18 10:33:46,949 fail2ban.filter         [4101844]: INFO    [zimbra-admin] Found 94.41.0.165 - 2023-08-18 10:33:46
2023-08-18 10:33:46,950 fail2ban.filter         [4101844]: INFO    [zimbra-webmail] Found 94.41.0.165 - 2023-08-18 10:33:46
2023-08-18 10:33:46,953 fail2ban.filter         [4101844]: INFO    [zimbra-submission] Found 94.41.0.165 - 2023-08-18 10:33:46
2023-08-18 10:33:47,060 fail2ban.actions        [4101844]: NOTICE  [zimbra-submission] Ban 94.41.0.165
2023-08-18 10:33:47,079 fail2ban.actions        [4101844]: NOTICE  [zimbra-webmail] Ban 94.41.0.165
2023-08-18 10:33:47,084 fail2ban.actions        [4101844]: NOTICE  [zimbra-admin] Ban 94.41.0.165
As I have the bantime for the postfix-ddos-filter to -1 its a permanent ban. I wonder whether this will kill the iptables some time?

ufw-firewall
For a complete overview to the readers here: I also have the ufw firewall active with these rules:

Code: Select all

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] Anywhere                   ALLOW IN   static.home.ip     
[ 2] 993                        ALLOW IN    Anywhere                  
[ 3] Anywhere                   ALLOW IN   static.work.ip  
[ 4] 25                         ALLOW IN    Anywhere                  
[ 5] 587                        ALLOW IN    Anywhere                  
[ 6] 465                        ALLOW IN    Anywhere                  
[ 7] 25 (v6)                    ALLOW IN    Anywhere (v6)             
[ 8] 993 (v6)                   ALLOW IN    Anywhere (v6)             
[ 9] 587 (v6)                   ALLOW IN    Anywhere (v6)             
[10] 465 (v6)                   ALLOW IN    Anywhere (v6)
Top
Post Reply

Return to “Administrators”