Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Account Lockout: How to find IP address of soap - AuthRequest

  1. #11
    wooby is offline Loyal Member
    Join Date
    Nov 2009
    Posts
    89
    Rep Power
    5

    Default

    Quote Originally Posted by samgreco View Post
    Has anyone figured this out yet? Seems someone is robotically attacking my server now. The audit log shows only local IP addresses. The Zimbra.Log file shows Pop3/IMAP/SMTP attempts, but not SOAP.

    At least once a day for the past few days, my admin account gets blocked and I can't seem to figure out where it is coming from.
    Can anyone help on how to get the login IP.

  2. #12
    dwidman is offline New Member
    Join Date
    Mar 2010
    Posts
    3
    Rep Power
    5

    Default

    I had this problem too on my Zimbra. They successfully hacked one of my accounts and sent 250.000 spam emails in 1 day. It seems to be a zombie farm of computers that are attacking. I've got more than 1 million of SOAP requests in my server from more than a few 100's of different ips.

    You can have some log info on my thread (that was ignored by everyone ). Help... my Zimbra is sending SPAM to the world!!!

    It looks like there is a flaw in the Zimbra software and some hackers are taking advantage of it.

  3. #13
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Quote Originally Posted by dwidman View Post
    It looks like there is a flaw in the Zimbra software and some hackers are taking advantage of it.
    What for poor passwords ?

  4. #14
    dwidman is offline New Member
    Join Date
    Mar 2010
    Posts
    3
    Rep Power
    5

    Default

    Quote Originally Posted by uxbod View Post
    What for poor passwords ?
    No need to be ironic (specially if you are a moderator).

    Can you confirm that the Zimbra system is 100% secure - without any security flaw that can be found?

    On my case, the password was hacked on a keylogger that was installed in a computer that one of our users accessed outside the company...

    I'm trying to put a light on an attack pattern by hackers and looking for a counter-measure to avoid it before it happens.

  5. #15
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Quote Originally Posted by dwidman View Post
    No need to be ironic (specially if you are a moderator).
    Sensible response IMHO especially when you have stated it looks like a flaw in Zimbra. Though lets not digress from what is a important subject. You could install Welcome to the Home of OSSEC and write a custom rule that looks for sustained soap logins within a particular time frame as a possibility. You could even get it to fire a auto-response a block via IP tables; or perhaps less invasive would be to just lock that particular account. That way the user would need to contact you.
    Last edited by uxbod; 03-17-2010 at 07:40 AM.

  6. #16
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Have a look in /opt/zimbra/log/audit.log for one of the suspect IPs and see what the user agent for the SOAP request was. Look for ua=

  7. #17
    brian is offline Project Contributor
    Join Date
    Jul 2006
    Posts
    623
    Rep Power
    10

    Default

    We ship a script that may help you track down offending IP's as well as coordinated attacks against specific accounts. Details on how to turn it on are below

    Bug 32586 – script to watch for auth failures
    Bugzilla - Wiki - Downloads - Before posting... Search!

  8. #18
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    That is great Brian but in this instance the spammer had obtained a users password and therefore the soap calls would be valid. According to the RFE it only checks against authentication failures
    Code:
    The script ships with 4 authentication failure checks.
    -  IP/Account hash check which warns on 10 auth failures from an ip/account
    combo within a 60 second window.
    - Account check which warns on 15 auth failures from any ip within a 60 second
    window.  Attempts to detect a distributed hijack based attack on a single
    account.
    -  IP check which warns on 20 auth failures to any account within a 60 second
    windows.  Attempts to detect a single host based attack across multiple
    accounts.
    - Total auth failure check which warns on 1000 auth failures from any ip to any
    account within 60 seconds.  The recommended value on this is guestimated at 1%
    of active accounts for the MBS.

  9. #19
    chimaster is offline Loyal Member
    Join Date
    May 2008
    Posts
    87
    Rep Power
    7

    Default

    Old thread, sorry for bringing it back to life. Same issue, Account for one domain getting locked out constantly, source is displayed as server IP address as it's a soap call rather than a client. Nothing in access.log corresponds with account name or time when compared to audit.log as there is no successful access.

    We're getting this once or twice every day for the same domain and they're getting pissed. as I can't find a source IP we're limited for what we can do to mitigate. Since this thread is 4 years old, I hope this is resolved in v8 but I'm not seeing anything indicating it is.

    Whats news?

    2014-05-01 07:00:18,645 INFO [qtp34688703-864475:https://10.2.2.2:7071/service/admin/soap/] [name=pooruser@gettinglockedout.co.nz;ip=10.2.2.2;] security - cmd=Auth; account=pooruser@gettinglockedout.co.nz; protocol=soap;
    Chimaster
    Geekly goodness in Queenstown, New Zealand
    HeadQuarters N.D.C. www.queenstownhq.co.nz
    Queenstown.com www.queenstown.com
    LiveTouch www.livetouch.co.nz

  10. #20
    hfield is offline Junior Member
    Join Date
    Nov 2009
    Location
    US
    Posts
    9
    Rep Power
    5

    Default

    Did you find an answer to this? I have not but I came up with a work around... I changed the username (gave the user a new name) on the offended account and then created a new account for the previously used email address. Set that new account (with the old username) to be locked, forward email to the new user account, and not retain any email. So now, the original email address (which was not an administrator) can still receive email, forward to another email address and not retain it. No one can log in to that account since it is locked so I am at least not worried that someone will eventually guess the password. Fear resolved. However, I would still like to know where the attack is coming from and how to block it... in case they start on another account. Zimbra administration is not open to the outside world. I am behind a firewall and everything has to get through that to reach the server anyway. Only have ports 25, 110, and 149 open (smpt, pop3, imap).

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. zmclamdctl is not running after upgrade
    By Darren in forum Installation
    Replies: 24
    Last Post: 10-10-2008, 09:10 AM
  2. SOAP AuthRequest Question
    By ab5602 in forum Developers
    Replies: 3
    Last Post: 08-06-2008, 08:55 PM
  3. I got Ubuntu and Zimbra working
    By pacsteel in forum Installation
    Replies: 73
    Last Post: 06-23-2008, 11:41 AM
  4. Replies: 4
    Last Post: 03-31-2008, 11:35 PM
  5. Replies: 8
    Last Post: 04-21-2007, 10:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •