| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|  | 
09-30-2010, 12:47 AM
| | | SOAP IP Security Hi,
In audit.log I see entries like :
security - cmd=Auth; account=<somebody@somewhere.com>; protocol=soap; error=authentication failed for <somebody@somewhere.com>, invalid password;
These "invalid pass" tries make the account locked after 10 attemps. But these tries does not originate from the real user.
When I examine audit.log for originating ip address, I see that the protocal is soap and the ip address is the mail server address itself. This is always the case in soap communication.
So, if I cannot find the originating address for soap communcations, this is a true securtiy flaw in design IMHO.
Is there a way to determine the originating address in soap communication ?
Best Regards, | 
09-30-2010, 01:29 PM
| | | Quote:
Originally Posted by ghanedan Hi,
In audit.log I see entries like :
security - cmd=Auth; account=<somebody@somewhere.com>; protocol=soap; error=authentication failed for <somebody@somewhere.com>, invalid password;
These "invalid pass" tries make the account locked after 10 attemps. But these tries does not originate from the real user.
When I examine audit.log for originating ip address, I see that the protocal is soap and the ip address is the mail server address itself. This is always the case in soap communication.
So, if I cannot find the originating address for soap communcations, this is a true securtiy flaw in design IMHO.
Is there a way to determine the originating address in soap communication ?
Best Regards, | We keep verbose logging in our hardware firewall turned on and the firewall does DNS lookups, so for situations like these we go to our firewall logs for the originating IP.
We are currently experimenting with PSAD on SLES and trying to develop Snort rules which will track this kind of behavior and block the offending IP with iptables before the legitimate user gets locked out. Early days though...
Hope that helps,
Mark
__________________
___________________________________ L. Mark Stone, CIO "Uptime. All the time."
477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678
proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
| 
10-02-2010, 12:14 AM
| | | Quote:
Originally Posted by LMStone We keep verbose logging in our hardware firewall turned on and the firewall does DNS lookups, so for situations like these we go to our firewall logs for the originating IP.
Hope that helps,
Mark | I see. I will wait for the security improvements.
BTW it is very cumbersome to match firewall logs to zimbra logs, becuase of different timestamp values and dmz&nat configurations.
Best Regards, | 
10-02-2010, 11:39 AM
| | | Quote:
Originally Posted by ghanedan I see. I will wait for the security improvements.
BTW it is very cumbersome to match firewall logs to zimbra logs, becuase of different timestamp values and dmz&nat configurations.
Best Regards, | We don't have that problem...
Our firewalls and our Zimbra servers have the same time stamps; both keep their clocks syncronized to the same public nameservers.
Our firewalls do DNS lookups, so we get both the public FQDN as well as the public IP in the firewall logs. Zimbra's logs contain the same info too.
So, easy for us to match.
Hope that helps,
Mark
__________________
___________________________________ L. Mark Stone, CIO "Uptime. All the time."
477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678
proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
| 
10-03-2010, 09:19 AM
| | | Quote:
Originally Posted by LMStone Our firewalls and our Zimbra servers have the same time stamps; both keep their clocks syncronized to the same public nameservers. | Of course if you don't have tens of other requests in a second to the firewall.
I think a better option is to activate a secondary firewall on the zimbra machine itself.
Best Wishes, | 
10-05-2010, 03:02 AM
| | | If of use this is my local_decoder.xml file for OSSEC Code: <!--
Zimbra OSSEC
-->
<decoder name="zimbra">
<prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d+ WARN|INFO</prematch>
</decoder>
<decoder name="zimbra-preauth-failed">
<parent>zimbra</parent>
<prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+; error=authentication failed for \S+, preauth mismatch;$</prematch>
<regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
<order>user, srcip</order>
</decoder>
<decoder name="zimbra-preauth-passed">
<parent>zimbra</parent>
<prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+;$</prematch>
<regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
<order>user, srcip</order>
</decoder>
<decoder name="zimbra-unknown-account">
<parent>zimbra</parent>
<prematch offset="after_parent">account not found$</prematch>
<regex>[oip=(\d+.\d+.\d+.\d+);\S+] SoapEngine - handler exception: authentication failed for (\S+),</regex>
<order>srcip, user</order>
</decoder>
<decoder name="zimbra-invalid-password">
<parent>zimbra</parent>
<prematch offset="after_parent">invalid password$</prematch>
<regex>[name=(\S+);oip=(\d+.\d+.\d+.\d+);\S+]</regex>
<order>user, srcip</order>
</decoder>
__________________ | 
10-05-2010, 08:37 AM
| | | Quote:
Originally Posted by ghanedan Of course if you don't have tens of other requests in a second to the firewall.
I think a better option is to activate a secondary firewall on the zimbra machine itself.
Best Wishes, | It's not unusual for us to see 10 or 20 Mbps sustained traffic on our firewall. The firewall console enables us to filter the logs there, and on Zimbra "grep" is one of our best friends. :-)
Honestly, coordinating output from the two logs hasn't been an issue for us.
And sure you can run iptables on the Zimbra server, and then you can deploy something like OSSEC, or PSAD and fwsnort to do active IPS too if you want.
Hope that helps,
Mark
__________________
___________________________________ L. Mark Stone, CIO "Uptime. All the time."
477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678
proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
| | Thread Tools | Search this Thread | | | | | Display Modes | Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.  |