Results 1 to 7 of 7

Thread: Survived my first hack attempt today

  1. #1
    drdre is offline Elite Member
    Join Date
    Aug 2007
    Location
    Trinidad
    Posts
    416
    Rep Power
    7

    Default Survived my first hack attempt today

    Today an ip 75.148.115.169 attempted to hack our email web login for several accounts. I have since blocked the ip at my firewall. Is there any other precautions you guys can recommend. The source ip seems to be coming from the USA .. a comcast ip. to be exact : Glenwood Springs in United States...
    Last edited by drdre; 12-20-2011 at 01:23 PM.
    With Jah Jah
    Anything is Possible

    FOSS 8.0.7

  2. #2
    bofh is offline Elite Member
    Join Date
    May 2010
    Posts
    272
    Rep Power
    5

    Default

    you can automatically block ips by firewall rules for xxx amount of time

    also do not have the admin port open - that gives a bit more security too

    use rules to enshure complexity of passwords

    those are the basics to use - only one thing bothers me in closed systems like this that intrusion detection system not really work here since we cant veryfy changes in files on systemlevel and associate em with a zimbra user - sadly thats not possible

    what you could do is write a simple script to grab the logfiles and let it report failed auth attemps automatically



    another precaution is - if you have only a small group of users to resctrict webaccess on the firewall to certain ranges of IPs -

  3. #3
    LaFong is offline Advanced Member
    Join Date
    Nov 2008
    Location
    Denver, CO
    Posts
    221
    Rep Power
    6

    Default

    I use fail2ban and iptables to monitor logs and ban IPs after login failures, etc. Currently, I filter for:

    SASL login failures
    IMAP/POP login failures
    Web client login failures
    Admin login failures
    Postfix login failures
    Postfix connection flooding
    phpMyAdmin URL searches

    I also adapted the fail2ban init script so that the banned IP list is maintained across restarts.

  4. #4
    soba@ukw.edu.pl is offline Special Member
    Join Date
    Jul 2011
    Posts
    146
    Rep Power
    3

    Default

    Simple way: Use fail2ban.
    # ZCS 7.1.3 SLES11 SP1

  5. #5
    bofh is offline Elite Member
    Join Date
    May 2010
    Posts
    272
    Rep Power
    5

    Default

    partly true - fail2ban helps a lot no question - specially you avoid getting accounts locked by bruteforceattacks

    but it works only against normal auth failures
    any other hack attemp is undetected - like using a security bug in soap / tomcat or where ever we find one

    this is actually a challange and often not even solveable at the moment - if youre small with a few users and known addressranges you can - as ife written bevore - avoid most of em by a almost total lockdown

    if its really security relevant you may think about only letting smtp transfer in and out lock everything else out and give access by any kind of vpn

    like all similar services zimbra could be vunerable against some other things we dont know yet

    all depends on kind of service - need of security vs accessability

    only problem - in difference to nomal unix services (shell login/ftp and so on) we cant use intrusiondetection yet

    maybe we coudl also think about logging firewall and fail2ban for additional wierd behave - like portscans and stuff


    btw anyone know if we can discover unauthenticated (so no login) request attemps on the soap engine? -

    because there a lot of tool out there bruteforcing webapplications on the usual stuff liek sql injections bufferoverflows and so on

  6. #6
    soba@ukw.edu.pl is offline Special Member
    Join Date
    Jul 2011
    Posts
    146
    Rep Power
    3

    Default

    I use Cisco IPS solution.
    You can also use snort softwware and you can create your own IPS signatures
    # ZCS 7.1.3 SLES11 SP1

  7. #7
    LaFong is offline Advanced Member
    Join Date
    Nov 2008
    Location
    Denver, CO
    Posts
    221
    Rep Power
    6

    Default

    I updated my fail2ban post, if you're interested in going that route:
    Succesfull hacking attempts on Zimbra mailboxes (webmail)

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Is Zimbra perforce Repository down today??
    By anoop.halgeri in forum Developers
    Replies: 0
    Last Post: 07-22-2011, 03:34 AM
  2. Similar 'Microsoft Outlook Today' view in Zimbra
    By rekeots in forum Developers
    Replies: 10
    Last Post: 05-23-2007, 11:22 PM
  3. Error on attempt to read email
    By iroc in forum Installation
    Replies: 1
    Last Post: 03-13-2007, 09:55 PM
  4. 'Outlook Today' gone, unable to Share
    By zaf in forum Zimbra Connector for Outlook
    Replies: 1
    Last Post: 02-23-2007, 02:17 PM
  5. Ubuntu Breezy Hack.
    By adobrin in forum Announcements
    Replies: 6
    Last Post: 06-09-2006, 07:53 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •