Account Lockout: How to find IP address of soap - AuthRequest

[spikehardin]

When I have an account that is being password hacked, it goes into lockout as expected and I can get the IP address of the hacker if it is a pop or imap request; however, if the hacker is using a soap request (web interface or zimbra web client or desktop), the IP address logged in audit.log and mailbox.log is the address of the zimbra server, not the user.

How do I get the source IP address so I can block it in my firewall?

Thanks,
Scott Hardin

=============================================

From audit.log:
2008-08-13 07:01:47,930 WARN [btpool0-7] [ip=10.10.1.2;] security - cmd=Auth; account=admin@domainname.com; protocol=soap; error=authentication failed for admin, account lockout;

From mailbox.log:
2008-08-13 07:01:47,825 INFO [btpool0-7] [ip=10.10.1.2;] soap - AuthRequest
2008-08-13 07:01:47,930 INFO [btpool0-7] [ip=10.10.1.2;] SoapEngine - handler exception: authentication failed for admin, account lockout

Version: Release 5.0.7_GA_2444.UBUNTU6 UBUNTU6 FOSS edition

[phoenix]

As far as I'm aware, that's the IP of the source of the login attempt. You can confirm that by logging in as the Admin from another LAN IP. Do you actually have port 7071 open to the outside world? Do you see any attempts from outside to login as the admin?

[spikehardin]

7071 is not open to the outside. The attempts are targeting an e-mail address that is not zimbra admin. I had several thousand attempts over 30 minutes, so this is an automated attack.

I have a stateful firewall in front of this box. The only ports I have open are:

* 25 and 587 for SMTP (587 is forwared to 25)
* 143 and 993 for IMAP
* 110 and 995 for POP
* 80 and 443 for HTTP

I tried using the web UI and Zimbra Desktop and they both provide the correct source IP and ua=zclient or ua=Yahoo! Zimbra Desktop. When I log in as a zimbra admin the ua=ZimbraWebClient. Evidently there is a scenario when the ip is recorded as the ip of the box and the ua does not get logged for soap requests.

Under what scenario is the IP address set as the local server address and the ua not recorded in the log for soap requests? Is the ua set by the client for a soap authentication request?

Thanks for your help.

==================================

Zimbra Mail Login: 2008-08-13 20:07:29,806 WARN [btpool0-10] [oip=65.12.278.236;ua=zclient/5.0.7_GA_2444.UBUNTU6;] security - cmd=Auth; account=xyz@mydomain.com; protocol=soap; error=authentication failed for xyz, account lockout;

Zimbra Admin Login: 2008-08-13 20:07:07,776 WARN [btpool0-9] [ip=65.12.278.236;ua=ZimbraWebClient - FF3.0 (Win);] security - cmd=Auth; account=abc@xxx.mydomain.com; protocol=soap; error=authentication failed for admin@xxx.mydomain.com, invalid password;

Zimbra Desktop Login: 2008-08-13 19:54:36,878 WARN [btpool0-9] [ip=65.12.278.236;ua=Yahoo! Zimbra Desktop/0.90_1251_Windows;] security - cmd=Auth; account=xyz@mydomain.com; protocol=soap; error=authentication failed for xyz@mydomain.com, account lockout;

Hack Request: 2008-08-13 06:57:57,655 INFO [btpool0-0] [ip=10.10.1.2;] security - cmd=Auth; account=xyz@mydomain.com; error=account lockout due to too many failed logins;
2008-08-13 06:58:03,725 WARN [btpool0-7] [ip=10.10.1.2;] security - cmd=Auth; account=xyz@mydomain.com; protocol=soap; error=authentication failed for admin, account lockout;

[spikehardin]

I looked at your SOAP docs here and it looks like the ua (userAgent) is set in the SOAP header so that explains a blank ua. Also, the" Proxy Mechanism" here looks like it could be abused for hacking. I hope this helps. Is there any way to tighten this up?

[spikehardin]

After further review, I noticed that the userAgent (ua) is set by the SOAP client which may explain the blank ua= field. How could the IP address be set to the servers IP address instead of the client's IP address. I am concerned the <targetServer> Proxy Mechanism for authentication requests is a potential vulnerability. Any ideas?

[Rich Graves]

You should be able to find the actual source IP in /opt/zimbra/jetty/logs/access_log.*

When you use the HTML client, the server talks to itself... though I'd expect the IP address to be 127.0.0.1, not the server's public IP. ZCS 5.0.5 or so fixed the logs to include the original rather than proxied IP, so if you're running a recent version, I don't know what the deal is.

You're sure you don't have some forgotten cron job on the local box?

[spikehardin]

I don't have any cron jobs running that generate autentication requests.

I've found when the Zimbra web client is authenticated, the IP of the browser is logged not the IP of the server (for example, 2008-08-13 20:07:29,806 WARN [btpool0-10] [oip=65.12.278.236;ua=zclient/5.0.7_GA_2444.UBUNTU6;] security - cmd=Auth; account=xyz@mydomain.com; protocol=soap; error=authentication failed for xyz, account lockout

Here's a small subsection of the /opt/zimbra/jetty/logs during the attack:
10.10.1.2 - - [13/Aug/2008:06:56:56 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:04 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:14 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:19 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:26 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:34 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:42 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:49 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:57 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:58:03 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:58:13 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:58:18 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:58:26 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:58:34 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"

[Lebha]

I can confirm that the behavior is still the same in 5.0.9NE: The actual source IP cannot be found either in audit.log or /opt/zimbra/jetty/logs. Is there any way to find out the attackers IP?

[fang0654]

I am running into the same thing, with someone trying to log in to my admin accounts. The only IP I can find in the audit.log and access.log is the Zimbra server's local ip.