Survived my first hack attempt today

[drdre]

Today an ip 75.148.115.169 attempted to hack our email web login for several accounts. I have since blocked the ip at my firewall. Is there any other precautions you guys can recommend. The source ip seems to be coming from the USA .. a comcast ip. to be exact : Glenwood Springs in United States...

[bofh]

you can automatically block ips by firewall rules for xxx amount of time

also do not have the admin port open - that gives a bit more security too

use rules to enshure complexity of passwords

those are the basics to use - only one thing bothers me in closed systems like this that intrusion detection system not really work here since we cant veryfy changes in files on systemlevel and associate em with a zimbra user - sadly thats not possible

what you could do is write a simple script to grab the logfiles and let it report failed auth attemps automatically



another precaution is - if you have only a small group of users to resctrict webaccess on the firewall to certain ranges of IPs -

[LaFong]

I use fail2ban and iptables to monitor logs and ban IPs after login failures, etc. Currently, I filter for:

SASL login failures
IMAP/POP login failures
Web client login failures
Admin login failures
Postfix login failures
Postfix connection flooding
phpMyAdmin URL searches

I also adapted the fail2ban init script so that the banned IP list is maintained across restarts.

[soba@ukw.edu.pl]

Simple way: Use fail2ban.

[bofh]

partly true - fail2ban helps a lot no question - specially you avoid getting accounts locked by bruteforceattacks

but it works only against normal auth failures
any other hack attemp is undetected - like using a security bug in soap / tomcat or where ever we find one

this is actually a challange and often not even solveable at the moment - if youre small with a few users and known addressranges you can - as ife written bevore - avoid most of em by a almost total lockdown

if its really security relevant you may think about only letting smtp transfer in and out lock everything else out and give access by any kind of vpn

like all similar services zimbra could be vunerable against some other things we dont know yet

all depends on kind of service - need of security vs accessability

only problem - in difference to nomal unix services (shell login/ftp and so on) we cant use intrusiondetection yet

maybe we coudl also think about logging firewall and fail2ban for additional wierd behave - like portscans and stuff


btw anyone know if we can discover unauthenticated (so no login) request attemps on the soap engine? -

because there a lot of tool out there bruteforcing webapplications on the usual stuff liek sql injections bufferoverflows and so on

[soba@ukw.edu.pl]

I use Cisco IPS solution.
You can also use snort softwware and you can create your own IPS signatures

[LaFong]

I updated my fail2ban post, if you're interested in going that route:
Succesfull hacking attempts on Zimbra mailboxes (webmail)