Hacking attempts lock out user

[rusty]

I have had both my personal email account and the server admin account stop accepting my passwords for a period of time (at the same time). I tried one other user account and that one was not affected. Because it starts working again and seems to be limited to my accounts, I've assumed that it was someone putting the wrong password in more than the permitted number of times. As soon as I realized this, I reduced the number of times one is allowed to attempt to login with incorrect credentials and made my passwords longer and more complex.

This has happened enough times now (that I know of) that I am becoming concerned. Does anyone have any advice for me? Is there any log of these type of events?

Thanks, Eric

[bdial]

/opt/zimbra/log/audit.log

[raj]

put greylisting server which will reduce this activity by a magnitude..
POLICYD or SQLGREY are few options

Raj

[rusty]

/opt/zimbra/log/audit.log

Perfect thank you. That got me the IP of the jerk in China.

Blocked the whole Class A he's from using iptables. There's howtos on how to block entire countries (which is what I want), but I don't want to slow my server down.

Any other advice would still be appreciated. I hope I'm protecting my server well.

put greylisting server which will reduce this activity by a magnitude..
POLICYD or SQLGREY are few options

Raj

Thanks but greylisting is for email. besides, after 5 minutes they'd be whitelisted.

[uxbod]

Welcome to the Home of OSSEC and set it up to check /opt/zimbra/log/audit.log for rogue access attempts. You would then write a rule to action a Active Response and automatically add a entry to IPTables

[jimbo]

Maybe a good fail2ban rule for /opt/zimbra/log/audit.log would be of benefit. Anybody have one to share?

[rusty]

Thanks uxbod. Nice.

I've setup ossec on a server and the agent on the zimbra box. It is working with out of the box settings. Getting it to monitor audit.log and add an entry to IPTables is something I will work on in the coming days.

[rusty]

Their baaaaack.

I have ossec monitoring /var/zimbra/log/audit.log and I received an alert that my server was getting hammered again. Again from China, new IP this time. Immediately blocked them via iptables.

Glad to know ossec is working. Thank you ossec and thank you uxbod! I've got to get the firewall part automated.

To get ossec to monitor /var/zimbra/log/audit.log just add the following to the /var/ossec/etc/ossec.conf

<localfile>
<log_format>syslog</log_format>
<location>/opt/zimbra/log/audit.log</location>
</localfile>

then restart ossec.

[LaFong]

Maybe a good fail2ban rule for /opt/zimbra/log/audit.log would be of benefit. Anybody have one to share?

I have fail2ban rules set up for pop3/imap, web, web admin, and postfix. They seem to work, though I haven't tested extensively.

/etc/fail2ban/jail.conf

Code:

[zimbra-account]

enabled  = true
filter   = zimbra
action   = iptables-multiport[name=Zimbra-account, port="pop3,pop3s,imap,imaps", protocol=tcp]
           sendmail[name=Zimbra-account, dest=it@here.com]
logpath  = /opt/zimbra/log/mailbox.log
bantime  = 600
ignoreip = 127.0.0.1
maxretry = 5

[zimbra-audit]

enabled  = true
filter   = zimbra
action   = iptables-multiport[name=Zimbra-audit, port="pop3,pop3s,imap,imaps", protocol=tcp]
           sendmail[name=Zimbra-audit, dest=it@here.com]
logpath  = /opt/zimbra/log/audit.log
bantime  = 600
ignoreip = 127.0.0.1
maxretry = 5

[postfix]

enabled  = true
filter   = postfix
action   = iptables[name=Postfix, port=smtp, protocol=tcp]
           sendmail[name=Postfix, dest=it@here.com]
logpath  = /var/log/maillog
bantime  = 600
ignoreip = 127.0.0.1
maxretry = 5

I copied cyrus-imap.conf to zimbra.conf, then edited.
/etc/fail2ban/filter.d/zimbra.conf, in the [Definition] section:

Code:

failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
            \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
            ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
            WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$

At first, I used audit.log, but it doesn't log invalid accounts. So, I made two jail rules. Most of the probes I get are to determine valid usernames, with failures being logged to mailbox.log. Only after that do they try passwords with those users. This filter will parse both POP3 and IMAP. The last 2 regex deal with the web and web admin logins. I adapted them from someone else's post, for v6.x. The regex will likely be different for 5.x.

Obviously, you may want to change the rule names, bantime, maxretry. I have not permanently settled on those myself. The maxretry should be less than the "consecutive failed logins allowed" in the COS, if the "failed login lockout" is enabled. The multiport Zimbra action will ban all ports to the offending IP. I put in several protocols, though plain pop3 is of most interest. You also may not want the sendmail option, to get ban emails. There is also a iptables-multiport-log action, if you want logs.

[rusty]

I'm not an expert with ossec, but this is what I've done with OSSEC thus far:

Added to ossec.conf on the Zimbra server:

<localfile>
<log_format>syslog</log_format>
<location>/opt/zimbra/log/audit.log</location>
</localfile>

On the OSSEC server I added to the decoder.xml:

<decoder name="zimbra">
<prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d WARN </prematch>
</decoder>

<decoder name="zimbra-audit">
<parent>zimbra</parent>
<regex offset="after_parent">ip=(\d+.\d+.\d+.\d+);</regex>
<order>srcip</order>
</decoder>

<decoder name="zimbra-audit2">
<parent>zimbra</parent>
<regex offset="after_parent">oip=(\d+.\d+.\d+.\d+);</regex>
<order>srcip</order>
</decoder>

Of course, restart ossec on both machines.