Page 3 of 3 FirstFirst 123
Results 21 to 24 of 24

Thread: Account Lockout: How to find IP address of soap - AuthRequest

  1. #21
    n4bbq is offline Senior Member
    Join Date
    Oct 2008
    Location
    Dahlonega, Ga
    Posts
    53
    Rep Power
    6

    Default

    fail2ban is very handy in these circumstances...

    Succesfull hacking attempts on Zimbra mailboxes (webmail)

  2. #22
    hfield is offline Member
    Join Date
    Nov 2009
    Location
    US
    Posts
    12
    Rep Power
    5

    Default

    Quote Originally Posted by n4bbq View Post
    fail2ban is very handy in these circumstances...

    Succesfull hacking attempts on Zimbra mailboxes (webmail)

    I am using fail2ban but that isn't blocking login attempts from the address of the server itself, (soap protocol). It only blocks attempts to access the server from other addresses, which is working very well. I am beginning to believe that I have a malware somewhere inside my network that is attempting to login to the mail server on using addresses from a local addressbook to the machine which is infected.

  3. #23
    hfield is offline Member
    Join Date
    Nov 2009
    Location
    US
    Posts
    12
    Rep Power
    5

    Default

    Ok.... I have discovered that the system (Ubuntu 12.04) /var/log/mail.log file has the necessary entries to identify the offending IP that is attempting to authenticate to my mail server to send mail.


    Aug 13 09:27:53 zimbramail postfix/smtpd[3656]: warning: unknown[x.x.x.x]: SASL PLAIN authentication failed: authentication failure
    Aug 13 09:27:54 zimbramail postfix/smtpd[3656]: warning: unknown[x.x.x.x]: SASL LOGIN authentication failed: authentication failure

    Now I just have to figure out how to get fail2ban configured to monitor that log file and ban those IP addresses.

  4. #24
    hfield is offline Member
    Join Date
    Nov 2009
    Location
    US
    Posts
    12
    Rep Power
    5

    Default

    So, I had to configure an new jail rule for fail2ban... added smtp-auth.conf to filter.d folder and put :

    failregex = postfix/smtpd.*\n?.*unknown\[<HOST>\].*authentication failed

    in it as the regular expression definition.
    Added :

    [smtp-auth]
    enable = true
    filter = smtp-auth
    action = iptables[name=SMTP, port=smtp, protocol=tcp]
    logpath = /var/log/mail.log
    bantime = -1
    maxretry= 5

    to the jail.conf to have fail2ban add iptables entries to block smtp authentication failures.

Page 3 of 3 FirstFirst 123

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. zmclamdctl is not running after upgrade
    By Darren in forum Installation
    Replies: 24
    Last Post: 10-10-2008, 09:10 AM
  2. SOAP AuthRequest Question
    By ab5602 in forum Developers
    Replies: 3
    Last Post: 08-06-2008, 08:55 PM
  3. I got Ubuntu and Zimbra working
    By pacsteel in forum Installation
    Replies: 73
    Last Post: 06-23-2008, 11:41 AM
  4. Replies: 4
    Last Post: 03-31-2008, 11:35 PM
  5. Replies: 8
    Last Post: 04-21-2007, 10:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •