How to get IP of user trying to connect to web interface?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
evsta
Posts: 19
Joined: Fri Sep 12, 2014 11:20 pm

How to get IP of user trying to connect to web interface?

Postby evsta » Tue May 17, 2016 7:22 am

Hi,

How to get IP of user trying to connect to (or using) web interface?

When looking at various logs (mailbox.log, auth.log) I see only my server ip...

Example:
2016-05-17 06:04:49,241 WARN [qtp509886383-3012:https://<server_local_ip>:7071/service/admin/soap/] [name=<username>@<domain>.eu;ip=<server_local_ip>;] account - ad auth for domain <domain>.eu failed, fall back to zimbra default auth mechanism com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException: authentication failed for [<username>@hutapokoj.eu]
2016-05-17 06:04:49,244 INFO [qtp509886383-3012:https://<server_local_ip>:7071/service/admin/soap/] [name=<username>@<domain>.eu;ip=<server_local_ip>;] SoapEngine - handler exception: authentication failed for [<username>@<domain>.eu], invalid password

My zimbra version is 8.6, I have no proxy.


this
Posts: 7
Joined: Tue May 17, 2016 8:10 am

Re: How to get IP of user trying to connect to web interface?

Postby this » Tue May 17, 2016 8:43 am

i think the problem is not on zimbra config. but how user connect to zimbra mail server (Network Topology).

Can you describe ur current network topology for ur zimbra mail server before?
evsta
Posts: 19
Joined: Fri Sep 12, 2014 11:20 pm

Re: How to get IP of user trying to connect to web interface?

Postby evsta » Tue May 17, 2016 12:05 pm

Hmm, my users connect using server web interface, there is no device other than router between them and the server.
When they connect using IMAP, their IP is shown in mailbox.log.

I think it should not matter - from logs I should be able (?) to tell which device from my (or remote) network is connecting.
I am not saying that their IP should be visible in mailbox.log (which shows correctly my server as client), but I think somewhere it should :)
Maybe there are some web interface logs I do not know about?
User avatar
Gren Elliot
Zimbra Employee
Zimbra Employee
Posts: 183
Joined: Tue Jun 10, 2014 4:45 am

Re: How to get IP of user trying to connect to web interface?

Postby Gren Elliot » Tue May 17, 2016 1:02 pm

/opt/zimbra/log/access_log.2016-05-17 (or the equivalent for the day you care about) typically has the IP addresses in it.
evsta
Posts: 19
Joined: Fri Sep 12, 2014 11:20 pm

Re: How to get IP of user trying to connect to web interface?

Postby evsta » Tue May 17, 2016 1:28 pm

Yes, I have been there - unfortunately, I haven't found any information about user.
I could use the timestamp, but on reasonably busy site, I have a lot of sessions, and time seems also a bit off from mailbox.log (there is no entry with the exact same time as in mailbox.log) :(

I have found something like that:
<propable_user_ip> - - [17/May/2016:06:04:32 +0000] "GET /service/home/~/?auth=co&loc=pl&id=<some_weird_id>&part=2 HTTP/1.1" 200 - "https://<my_server_address>.eu/zimbra/" "Mozilla/5.0 (Windows NT 5.1; rv:46.0) Gecko/20100101 Firefox/46.0" 14

Maybe this <some_weird_id> could be used to identify user? It does not look like a proper zimbra account ID...
I tried to grep for it in mailbox.log and zimbra.log, and nothing there.
And I do not see more than one try - the account have been put to lockout state, so it should be at least 3 tries (I have found only one like that).

I am trying to achive two things:
1. check from which IP someone is trying to log into web interface (he is locking my accounts after 3 tries)
2. check from which IP someone is using web interface

access_log seems to be not enaught :(
Maybe I can somehow change log level?
User avatar
ccelis5215
Outstanding Member
Outstanding Member
Posts: 614
Joined: Sat Sep 13, 2014 2:04 am
Location: Caracas - Venezuela
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12

Re: How to get IP of user trying to connect to web interface?

Postby ccelis5215 » Tue May 17, 2016 10:32 pm

Hi, did you check /opt/zimbra/log/audit.log ?

At least in 8.0.9 shows ip trying connecting or connected via ZWC.

Code: Select all

2016-05-17 18:33:26,403 INFO  [qtp185803001-9533:http://127.0.0.1:80/service/soap/AuthRequest] [name=user@domain.com;oip=externalip;ua=zclient/8.0.9_GA_6191;] security - cmd=Auth; account=user@domain.com; protocol=soap;


ccelis
this
Posts: 7
Joined: Tue May 17, 2016 8:10 am

Re: How to get IP of user trying to connect to web interface?

Postby this » Wed May 18, 2016 1:11 am

ccelis5215 wrote:Hi, did you check /opt/zimbra/log/audit.log ?

At least in 8.0.9 shows ip trying connecting or connected via ZWC.

Code: Select all

2016-05-17 18:33:26,403 INFO  [qtp185803001-9533:http://127.0.0.1:80/service/soap/AuthRequest] [name=user@domain.com;oip=externalip;ua=zclient/8.0.9_GA_6191;] security - cmd=Auth; account=user@domain.com; protocol=soap;


ccelis


yeah, agreed with ccelis, it should be show externalip of user, if not (showing local ip) you should check how router masquerading to ur server
evsta
Posts: 19
Joined: Fri Sep 12, 2014 11:20 pm

Re: How to get IP of user trying to connect to web interface?

Postby evsta » Wed May 18, 2016 6:44 am

My audit.log looks different - I have ip=<local_server_ip>, not as you have shown oip=. Do you have proxy enabled?

Code: Select all

2016-05-18 06:11:06,756 WARN  [qtp509886383-3212:https://<local_server_ip>:7071/service/admin/soap/] [name=<username>@<domain>.eu;ip=<local_server_ip>;] security - cmd=Auth; account=<username>@<domain>.eu; protocol=soap; error=authentication failed for [<username>@<domain>.eu], invalid password;


There is no NAT between clients and server (this router isn't even capable of that...). Even if there would be one, it would be destination NAT, where server's IP would be changed, not clients.
this
Posts: 7
Joined: Tue May 17, 2016 8:10 am

Re: How to get IP of user trying to connect to web interface?

Postby this » Wed May 18, 2016 8:09 am

evsta wrote:My audit.log looks different - I have ip=<local_server_ip>, not as you have shown oip=. Do you have proxy enabled?

Code: Select all

2016-05-18 06:11:06,756 WARN  [qtp509886383-3212:https://<local_server_ip>:7071/service/admin/soap/] [name=<username>@<domain>.eu;ip=<local_server_ip>;] security - cmd=Auth; account=<username>@<domain>.eu; protocol=soap; error=authentication failed for [<username>@<domain>.eu], invalid password;


There is no NAT between clients and server (this router isn't even capable of that...). Even if there would be one, it would be destination NAT, where server's IP would be changed, not clients.


did u mean that ur audit.log didn't show origination ip (oip)? if yes, i think that's the problem. audit.log should show oip
skn
Posts: 1
Joined: Sat Jan 21, 2017 7:47 am

Re: How to get IP of user trying to connect to web interface?

Postby skn » Sat Jan 21, 2017 8:06 am

Hi

Any luck with error ? we are getting similar errors as well...

Thank you
SKN

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 9 guests