Account Lockout: How to find IP address of soap - AuthRequest

[wooby]

Quote:

Originally Posted by samgreco

Has anyone figured this out yet? Seems someone is robotically attacking my server now. The audit log shows only local IP addresses. The Zimbra.Log file shows Pop3/IMAP/SMTP attempts, but not SOAP.

At least once a day for the past few days, my admin account gets blocked and I can't seem to figure out where it is coming from.

Can anyone help on how to get the login IP.

[dwidman]

I had this problem too on my Zimbra. They successfully hacked one of my accounts and sent 250.000 spam emails in 1 day. It seems to be a zombie farm of computers that are attacking. I've got more than 1 million of SOAP requests in my server from more than a few 100's of different ips.

You can have some log info on my thread (that was ignored by everyone ). Help... my Zimbra is sending SPAM to the world!!!

It looks like there is a flaw in the Zimbra software and some hackers are taking advantage of it.

[uxbod]

Quote:

Originally Posted by dwidman

It looks like there is a flaw in the Zimbra software and some hackers are taking advantage of it.

What for poor passwords ?

[dwidman]

Quote:

Originally Posted by uxbod

What for poor passwords ?

No need to be ironic (specially if you are a moderator).

Can you confirm that the Zimbra system is 100% secure - without any security flaw that can be found?

On my case, the password was hacked on a keylogger that was installed in a computer that one of our users accessed outside the company...

I'm trying to put a light on an attack pattern by hackers and looking for a counter-measure to avoid it before it happens.

[uxbod]

Quote:

Originally Posted by dwidman

No need to be ironic (specially if you are a moderator).

Sensible response IMHO especially when you have stated it looks like a flaw in Zimbra. Though lets not digress from what is a important subject. You could install Welcome to the Home of OSSEC and write a custom rule that looks for sustained soap logins within a particular time frame as a possibility. You could even get it to fire a auto-response a block via IP tables; or perhaps less invasive would be to just lock that particular account. That way the user would need to contact you.

[uxbod]

Have a look in /opt/zimbra/log/audit.log for one of the suspect IPs and see what the user agent for the SOAP request was. Look for ua=

[brian]

We ship a script that may help you track down offending IP's as well as coordinated attacks against specific accounts. Details on how to turn it on are below

Bug 32586 – script to watch for auth failures

[uxbod]

That is great Brian but in this instance the spammer had obtained a users password and therefore the soap calls would be valid. According to the RFE it only checks against authentication failures

Code:

The script ships with 4 authentication failure checks.
-  IP/Account hash check which warns on 10 auth failures from an ip/account
combo within a 60 second window.
- Account check which warns on 15 auth failures from any ip within a 60 second
window.  Attempts to detect a distributed hijack based attack on a single
account.
-  IP check which warns on 20 auth failures to any account within a 60 second
windows.  Attempts to detect a single host based attack across multiple
accounts.
- Total auth failure check which warns on 1000 auth failures from any ip to any
account within 60 seconds.  The recommended value on this is guestimated at 1%
of active accounts for the MBS.