SOAP IP Security

[ghanedan]

Hi,

In audit.log I see entries like :

security - cmd=Auth; account=<somebody@somewhere.com>; protocol=soap; error=authentication failed for <somebody@somewhere.com>, invalid password;

These "invalid pass" tries make the account locked after 10 attemps. But these tries does not originate from the real user.

When I examine audit.log for originating ip address, I see that the protocal is soap and the ip address is the mail server address itself. This is always the case in soap communication.

So, if I cannot find the originating address for soap communcations, this is a true securtiy flaw in design IMHO.

Is there a way to determine the originating address in soap communication ?

Best Regards,

[LMStone]

Quote:

Originally Posted by ghanedan

Hi,

In audit.log I see entries like :

security - cmd=Auth; account=<somebody@somewhere.com>; protocol=soap; error=authentication failed for <somebody@somewhere.com>, invalid password;

These "invalid pass" tries make the account locked after 10 attemps. But these tries does not originate from the real user.

When I examine audit.log for originating ip address, I see that the protocal is soap and the ip address is the mail server address itself. This is always the case in soap communication.

So, if I cannot find the originating address for soap communcations, this is a true securtiy flaw in design IMHO.

Is there a way to determine the originating address in soap communication ?

Best Regards,

We keep verbose logging in our hardware firewall turned on and the firewall does DNS lookups, so for situations like these we go to our firewall logs for the originating IP.

We are currently experimenting with PSAD on SLES and trying to develop Snort rules which will track this kind of behavior and block the offending IP with iptables before the legitimate user gets locked out. Early days though...

Hope that helps,
Mark

[ghanedan]

Quote:

Originally Posted by LMStone

We keep verbose logging in our hardware firewall turned on and the firewall does DNS lookups, so for situations like these we go to our firewall logs for the originating IP.

Hope that helps,
Mark

I see. I will wait for the security improvements.

BTW it is very cumbersome to match firewall logs to zimbra logs, becuase of different timestamp values and dmz&nat configurations.

Best Regards,

[LMStone]

Quote:

Originally Posted by ghanedan

I see. I will wait for the security improvements.

BTW it is very cumbersome to match firewall logs to zimbra logs, becuase of different timestamp values and dmz&nat configurations.

Best Regards,

We don't have that problem...

Our firewalls and our Zimbra servers have the same time stamps; both keep their clocks syncronized to the same public nameservers.

Our firewalls do DNS lookups, so we get both the public FQDN as well as the public IP in the firewall logs. Zimbra's logs contain the same info too.

So, easy for us to match.

Hope that helps,
Mark

[ghanedan]

Quote:

Originally Posted by LMStone

Our firewalls and our Zimbra servers have the same time stamps; both keep their clocks syncronized to the same public nameservers.

Of course if you don't have tens of other requests in a second to the firewall.

I think a better option is to activate a secondary firewall on the zimbra machine itself.

Best Wishes,

[uxbod]

You could always use Welcome to the Home of OSSEC and its active response capability.

[uxbod]

If of use this is my local_decoder.xml file for OSSEC

Code:

<!--
  Zimbra OSSEC
-->

<decoder name="zimbra">
  <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d+ WARN|INFO</prematch>
</decoder>

<decoder name="zimbra-preauth-failed">
  <parent>zimbra</parent>
  <prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+; error=authentication failed for \S+, preauth mismatch;$</prematch>
  <regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
  <order>user, srcip</order>
</decoder>

<decoder name="zimbra-preauth-passed">
  <parent>zimbra</parent>
  <prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+;$</prematch>
  <regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
  <order>user, srcip</order>
</decoder>

<decoder name="zimbra-unknown-account">
  <parent>zimbra</parent>
  <prematch offset="after_parent">account not found$</prematch>
  <regex>[oip=(\d+.\d+.\d+.\d+);\S+] SoapEngine - handler exception: authentication failed for (\S+),</regex>
  <order>srcip, user</order>
</decoder>

<decoder name="zimbra-invalid-password">
  <parent>zimbra</parent>
  <prematch offset="after_parent">invalid password$</prematch>
  <regex>[name=(\S+);oip=(\d+.\d+.\d+.\d+);\S+]</regex>
  <order>user, srcip</order>
</decoder>

[LMStone]

Quote:

Originally Posted by ghanedan

Of course if you don't have tens of other requests in a second to the firewall.

I think a better option is to activate a secondary firewall on the zimbra machine itself.

Best Wishes,

It's not unusual for us to see 10 or 20 Mbps sustained traffic on our firewall. The firewall console enables us to filter the logs there, and on Zimbra "grep" is one of our best friends. :-)

Honestly, coordinating output from the two logs hasn't been an issue for us.

And sure you can run iptables on the Zimbra server, and then you can deploy something like OSSEC, or PSAD and fwsnort to do active IPS too if you want.

Hope that helps,
Mark