Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Succesfull hacking attempts on Zimbra mailboxes (webmail)

  1. #11
    LaFong is offline Advanced Member
    Join Date
    Nov 2008
    Location
    Denver, CO
    Posts
    221
    Rep Power
    6

    Default

    Thanks, updated my post. As for logging admin login attempts, I can only guess that those IP addresses have not been banned yet. With my config, they have 5 tries before being banned, and those 5 tries will get logged. Are there more than 5 log entries from an IP address? It's also likely that attacking the admin page is more common than regular webmail. If Zimbra allowed changing the admin port to something other than 7071 it would virtually eliminate admin attacks, but it's a 6 year old feature request.

  2. #12
    Brad_C is offline Senior Member
    Join Date
    Apr 2012
    Posts
    73
    Rep Power
    3

    Default

    Quote Originally Posted by LaFong View Post
    If Zimbra allowed changing the admin port to something other than 7071 it would virtually eliminate admin attacks, but it's a 6 year old feature.
    I assume your Zimbra machine is behind a firewall. Just close 7071 to the world and put a redirect in place from some other port. Easy.

    Having said that, security by obscurity never works long term.

  3. #13
    bofh is offline Elite Member
    Join Date
    May 2010
    Posts
    272
    Rep Power
    4

    Default

    Thanks brad,...


    Really i have to be rude now but wtf are you guys thinking.
    Changegin the admin port to something else would eliminate anything ? really?
    is IT your fulltimejob or just your hobby?

    Man normaly i could say hey its their server but thats not the truth.
    truth is 99% of all attacks comes from automated systems, worms and so on. many of em using exposed unsecure server.
    so in many way this kind of lack of knowlege dont even make your lifes harder by hacked and exposed systems but everyone elses because your server will be the next one attacking mine, or spamming mine to shit or whatever

    and best part is you blame here zimbra for an old unusefuill enahncement.
    its perfect that it runs on a different port so its very easy to secure. many many many other solutions dont even have that option.
    you can those secure by firewall because amdin is just an different url
    be grateful - different poirt for admin is all thats needed.


    btw if you want to obscure change admin admin account, best you cann do as an additional messure but not the primary - primary is firewalling - damit.

  4. #14
    LaFong is offline Advanced Member
    Join Date
    Nov 2008
    Location
    Denver, CO
    Posts
    221
    Rep Power
    6

    Default

    I assume your Zimbra machine is behind a firewall. Just close 7071 to the world and put a redirect in place from some other port. Easy.
    That would be easy with most routers. However, Amazon EC2 has a relatively primitive firewall ability.You should be able to do it with iptables or Apache ProxyPass, but neither have worked for me. I can get to the main page, but admin login just hangs. You could also use an SSH tunnel.
    Having said that, security by obscurity never works long term.
    I don't agree. Security is not a destination, it is a journey. If by "never works", you mean it is not perfect, of course it is not. It does not help really against disgruntled ex-employees or the real wacko who wants to nmap all 65000+ ports. Against the vast majority of drive-by attacks, though, it works great, thank you very much. Combined with other software which monitors login attempts and you've got a very effective barrier. Changing ports, for me, is more useful in keeping crap out of my logs than anything else.

  5. #15
    LaFong is offline Advanced Member
    Join Date
    Nov 2008
    Location
    Denver, CO
    Posts
    221
    Rep Power
    6

    Default

    Really i have to be rude now but wtf are you guys thinking.
    Changegin the admin port to something else would eliminate anything ? really?
    Yes. Really.
    is IT your fulltimejob or just your hobby?
    Full time. How 'bout you?
    truth is 99% of all attacks comes from automated systems, worms and so on. many of em using exposed unsecure server.
    You're making my point for me. They are automated stupid systems. The simplest of measures is enough to thwart virtually all of them. Do you think these infected systems scan all 65000 TCP ports on every public IP address? Try 2 or 3.
    so in many way this kind of lack of knowlege dont even make your lifes harder by hacked and exposed systems but everyone elses because your server will be the next one attacking mine, or spamming mine to shit or whatever
    And changing my admin port makes your server more insecure somehow? How?
    and best part is you blame here zimbra for an old unusefuill enahncement.
    It is a rather obvious improvement, that was requested years ago and should be easy to implement.
    you can those secure by firewall because amdin is just an different url
    You can, if the firewall lets you. Most do, but cloud firewalls are pretty primitive.
    btw if you want to obscure change admin admin account, best you cann do as an additional messure but not the primary - primary is firewalling - damit.
    No one has said that it is a primary method of securing a Zimbra server. IMHO, though, it's more that a nice to have feature, it is a should have​ one.

  6. #16
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    296
    Rep Power
    7

    Default

    I would never consider having an admin port of any service open to the internet. Only open the ports you really need in iptables and connect in through a VPN.
    Having said that, there definitely should be an option to change the admin port somewhere in the admin interface.
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  7. #17
    Brad_C is offline Senior Member
    Join Date
    Apr 2012
    Posts
    73
    Rep Power
    3

    Default

    Quote Originally Posted by LaFong View Post

    I don't agree. Security is not a destination, it is a journey. If by "never works", you mean it is not perfect, of course it is not. .
    We have differing definitions of security, but that's ok. You seem to want to settle for barely obfuscated though. If you think automated bots aren't using nmap you are sorely mistaken.

  8. #18
    LaFong is offline Advanced Member
    Join Date
    Nov 2008
    Location
    Denver, CO
    Posts
    221
    Rep Power
    6

    Default

    Quote Originally Posted by batfastad View Post
    I would never consider having an admin port of any service open to the internet. Only open the ports you really need in iptables and connect in through a VPN.
    Everyone opens only the ports they deem necessary. There is a tradeoff between convenience and security. The easy case is where something is really dangerous, and mitigating that requires only minor inconvenience. Most cases are far more gray however. Requiring a VPN would add the setup/connection inconvenience, and slow down the admin console. Possibly a minor inconvenience, though personally I'd just use an SSH tunnel. As for any danger, in this particular instance, an attacker would have to
    1. Find the admin port of the Zimbra server, potentially having to scan 65000 ports. I have never seen a case of someone doing that. Never. Someone doing that can be easily detected.
    2. Be specifically targeting the Zimbra admin interface. This is becoming slightly more common with Zimbra's growing popularity.
    3. Do dictionary attacks on the Zimbra "admin" user's password. This can also be easily detected, the attacker automatically banned, and you can change the name of the admin user.

    I have nothing against requiring a VPN for the admin port, but other methods can be just as effective.

  9. #19
    LaFong is offline Advanced Member
    Join Date
    Nov 2008
    Location
    Denver, CO
    Posts
    221
    Rep Power
    6

    Default

    Quote Originally Posted by Brad_C View Post
    We have differing definitions of security, but that's ok. You seem to want to settle for barely obfuscated though. If you think automated bots aren't using nmap you are sorely mistaken.
    No, I'm not. nmap'ing 65000 ports is a relatively expensive proposition, time, network, and compute-wise. Last time I tested, it took 15-20 minutes to scan all ports on one machine. Trying to do that for several billion IP addresses is not a winning strategy. Many ISPs would detect such activity. Simply changing from a standard to a high port is much more effective than you realize. I have looked at logs for many, many years, and I just do not see anyone bothering to scan more than a few ports. That's not to say it hasn't happened to someone. Perhaps a higher-profile site has it happen to them, perhaps even often. I do not rely merely on port obfuscation. I also detect login attempts, postfix, ssh attacks, etc. If it ever got to the point where the server was in any serious risk, it would be trivial to implement VPN, SSH tunnel, or other method. For now, though, I'll opt for my method, which blocks essentially all attacks, bans those who try to attack, and yet still offers the best speed with a relatively slow web interface.

  10. #20
    chauvetp is offline Elite Member
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    284
    Rep Power
    7

    Default

    If you really want this (and don't want to block all access except via VPN), can't you just use iptables to reroute 7071 to a different port?
    ---
    Paul Chauvet
    State University of New York at New Paltz

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (0 members and 2 guests)

Similar Threads

  1. Old Backup stay in TO_DELETE status and no clearing..
    By bartounet in forum Administrators
    Replies: 0
    Last Post: 10-05-2010, 07:40 AM
  2. Major Issue - 5.0RC2 NE to 5.0GA NE failed
    By DougWare in forum Installation
    Replies: 7
    Last Post: 01-06-2008, 09:56 PM
  3. Replies: 31
    Last Post: 12-15-2007, 09:05 PM
  4. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 11:34 AM
  5. dspam logrotate errors
    By michaeln in forum Users
    Replies: 7
    Last Post: 02-19-2007, 12:45 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •