Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Hacking attempts lock out user

  1. #1
    rusty is offline Loyal Member
    Join Date
    Nov 2007
    Posts
    92
    Rep Power
    7

    Default Hacking attempts lock out user

    I have had both my personal email account and the server admin account stop accepting my passwords for a period of time (at the same time). I tried one other user account and that one was not affected. Because it starts working again and seems to be limited to my accounts, I've assumed that it was someone putting the wrong password in more than the permitted number of times. As soon as I realized this, I reduced the number of times one is allowed to attempt to login with incorrect credentials and made my passwords longer and more complex.

    This has happened enough times now (that I know of) that I am becoming concerned. Does anyone have any advice for me? Is there any log of these type of events?

    Thanks, Eric

  2. #2
    bdial's Avatar
    bdial is offline Moderator
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    /opt/zimbra/log/audit.log

  3. #3
    raj's Avatar
    raj
    raj is offline Moderator
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    put greylisting server which will reduce this activity by a magnitude..
    POLICYD or SQLGREY are few options

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  4. #4
    rusty is offline Loyal Member
    Join Date
    Nov 2007
    Posts
    92
    Rep Power
    7

    Default

    Quote Originally Posted by bdial View Post
    /opt/zimbra/log/audit.log
    Perfect thank you. That got me the IP of the jerk in China.

    Blocked the whole Class A he's from using iptables. There's howtos on how to block entire countries (which is what I want), but I don't want to slow my server down.

    Any other advice would still be appreciated. I hope I'm protecting my server well.

    Quote Originally Posted by raj View Post
    put greylisting server which will reduce this activity by a magnitude..
    POLICYD or SQLGREY are few options

    Raj
    Thanks but greylisting is for email. besides, after 5 minutes they'd be whitelisted.

  5. #5
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Welcome to the Home of OSSEC and set it up to check /opt/zimbra/log/audit.log for rogue access attempts. You would then write a rule to action a Active Response and automatically add a entry to IPTables

  6. #6
    jimbo is offline Special Member
    Join Date
    Nov 2005
    Posts
    108
    Rep Power
    9

    Default

    Maybe a good fail2ban rule for /opt/zimbra/log/audit.log would be of benefit. Anybody have one to share?

  7. #7
    rusty is offline Loyal Member
    Join Date
    Nov 2007
    Posts
    92
    Rep Power
    7

    Default

    Thanks uxbod. Nice.

    I've setup ossec on a server and the agent on the zimbra box. It is working with out of the box settings. Getting it to monitor audit.log and add an entry to IPTables is something I will work on in the coming days.

  8. #8
    rusty is offline Loyal Member
    Join Date
    Nov 2007
    Posts
    92
    Rep Power
    7

    Default

    Their baaaaack.

    I have ossec monitoring /var/zimbra/log/audit.log and I received an alert that my server was getting hammered again. Again from China, new IP this time. Immediately blocked them via iptables.

    Glad to know ossec is working. Thank you ossec and thank you uxbod! I've got to get the firewall part automated.

    To get ossec to monitor /var/zimbra/log/audit.log just add the following to the /var/ossec/etc/ossec.conf

    <localfile>
    <log_format>syslog</log_format>
    <location>/opt/zimbra/log/audit.log</location>
    </localfile>

    then restart ossec.

  9. #9
    LaFong is offline Advanced Member
    Join Date
    Nov 2008
    Location
    Denver, CO
    Posts
    221
    Rep Power
    6

    Default

    Quote Originally Posted by jimbo View Post
    Maybe a good fail2ban rule for /opt/zimbra/log/audit.log would be of benefit. Anybody have one to share?
    I have fail2ban rules set up for pop3/imap, web, web admin, and postfix. They seem to work, though I haven't tested extensively.

    /etc/fail2ban/jail.conf
    Code:
    [zimbra-account]
    
    enabled  = true
    filter   = zimbra
    action   = iptables-multiport[name=Zimbra-account, port="pop3,pop3s,imap,imaps", protocol=tcp]
               sendmail[name=Zimbra-account, dest=it@here.com]
    logpath  = /opt/zimbra/log/mailbox.log
    bantime  = 600
    ignoreip = 127.0.0.1
    maxretry = 5
    
    [zimbra-audit]
    
    enabled  = true
    filter   = zimbra
    action   = iptables-multiport[name=Zimbra-audit, port="pop3,pop3s,imap,imaps", protocol=tcp]
               sendmail[name=Zimbra-audit, dest=it@here.com]
    logpath  = /opt/zimbra/log/audit.log
    bantime  = 600
    ignoreip = 127.0.0.1
    maxretry = 5
    
    [postfix]
    
    enabled  = true
    filter   = postfix
    action   = iptables[name=Postfix, port=smtp, protocol=tcp]
               sendmail[name=Postfix, dest=it@here.com]
    logpath  = /var/log/maillog
    bantime  = 600
    ignoreip = 127.0.0.1
    maxretry = 5
    I copied cyrus-imap.conf to zimbra.conf, then edited.
    /etc/fail2ban/filter.d/zimbra.conf, in the [Definition] section:
    Code:
    failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
                \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
                ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
    At first, I used audit.log, but it doesn't log invalid accounts. So, I made two jail rules. Most of the probes I get are to determine valid usernames, with failures being logged to mailbox.log. Only after that do they try passwords with those users. This filter will parse both POP3 and IMAP. The last 2 regex deal with the web and web admin logins. I adapted them from someone else's post, for v6.x. The regex will likely be different for 5.x.

    Obviously, you may want to change the rule names, bantime, maxretry. I have not permanently settled on those myself. The maxretry should be less than the "consecutive failed logins allowed" in the COS, if the "failed login lockout" is enabled. The multiport Zimbra action will ban all ports to the offending IP. I put in several protocols, though plain pop3 is of most interest. You also may not want the sendmail option, to get ban emails. There is also a iptables-multiport-log action, if you want logs.
    Last edited by LaFong; 05-03-2010 at 08:29 PM.

  10. #10
    rusty is offline Loyal Member
    Join Date
    Nov 2007
    Posts
    92
    Rep Power
    7

    Default

    I'm not an expert with ossec, but this is what I've done with OSSEC thus far:

    Added to ossec.conf on the Zimbra server:

    <localfile>
    <log_format>syslog</log_format>
    <location>/opt/zimbra/log/audit.log</location>
    </localfile>

    On the OSSEC server I added to the decoder.xml:

    <decoder name="zimbra">
    <prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d WARN </prematch>
    </decoder>

    <decoder name="zimbra-audit">
    <parent>zimbra</parent>
    <regex offset="after_parent">ip=(\d+.\d+.\d+.\d+);</regex>
    <order>srcip</order>
    </decoder>

    <decoder name="zimbra-audit2">
    <parent>zimbra</parent>
    <regex offset="after_parent">oip=(\d+.\d+.\d+.\d+);</regex>
    <order>srcip</order>
    </decoder>

    Of course, restart ossec on both machines.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  2. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  3. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  4. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 09:19 AM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •