Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: attacks via SOAP calls on server external ip

  1. #11
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by th13fp45s View Post
    So there's no way to know the origin from this failed authentication?
    No, I didn't say that. You should find the IP address of the failed login attempt in your audit.log and mailbox.log - I see them listed in the logs on my server.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  2. #12
    th13fp45s is offline Junior Member
    Join Date
    Mar 2011
    Location
    Brazil/Ceara
    Posts
    5
    Rep Power
    4

    Default

    No, in all logs we just see the localhost IP:

    2014-02-07 14:21:12,804 WARN [qtp1097575009-258848:http://127.0.0.1:80/service/soap/AuthRequest] [name=sic@dnocs.gov.br;oip=10.40.1.80;ua=zclient/8.0.6_GA_5922;] security - cmd=Auth; account=sic@dnocs.gov.br; protocol=soap; error=authentication failed for [sic], LDAP error: - unable to ldap authenticate: invalid credentials;
    This is the bug!

  3. #13
    samuel sapp's Avatar
    samuel sapp is offline Member
    Join Date
    Oct 2010
    Location
    Serpong
    Posts
    11
    Rep Power
    4

    Default

    I once had also one of this problem too,
    in my case some user using mobile client (either Blackberry,Iphone,etc) but yours maybe different .For blackberry log indicate using blackberry IP, for iphone and others the IP appear in the log is localhost or 127.0.0.1.
    In my case the user always complaining about his user account always been locked, this happen because he already change the password but forget to update in the mobile, ask the user if he/she using mobile client and try to update the password
    sorry for my English
    Hope that's help
    Regards
    Samuel sappa

  4. #14
    keszler is offline New Member
    Join Date
    Sep 2010
    Posts
    4
    Rep Power
    4

    Default

    This happened to me yesterday. The solution is to look in /var/log/zimbra.log, and check the log entries surrounding the 'authentication failed' line. An example from my server:

    Feb 9 11:39:30 mx postfix/submission/smtpd[17931]: warning: hostname null.null.null does not resolve to address 204.124.181.230: Name or service not known
    Feb 9 11:39:30 mx postfix/submission/smtpd[17931]: connect from unknown[204.124.181.230]
    Feb 9 11:39:30 mx postfix/submission/smtpd[17931]: Anonymous TLS connection established from unknown[204.124.181.230]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
    Feb 9 11:39:30 mx saslauthd[17382]: zmauth: authenticating against elected url 'https://mx.srkconsulting.com:7071/service/admin/soap/' ...
    Feb 9 11:39:30 mx saslauthd[17382]: zmpost: url='https://mx.srkconsulting.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soa p:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [sql@srkconsulting.com]</soap:Text></soap:Reason><soapetail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp514441508-358:https://72.249.170.10:7071/service/admin/soap/:1391963970915:d51d86aacf37f824</Trace></Error></soapetail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
    Feb 9 11:39:30 mx saslauthd[17382]: auth_zimbra: sql@srkconsulting.com auth failed: authentication failed for [sql@srkconsulting.com]
    Feb 9 11:39:30 mx saslauthd[17382]: do_auth : auth failure: [user=sql@srkconsulting.com] [service=smtp] [realm=srkconsulting.com] [mech=zimbra] [reason=Unknown]
    Feb 9 11:39:30 mx postfix/submission/smtpd[17931]: warning: unknown[204.124.181.230]: SASL LOGIN authentication failed: authentication failure
    Feb 9 11:39:31 mx postfix/submission/smtpd[17931]: lost connection after RSET from unknown[204.124.181.230]
    Feb 9 11:39:31 mx postfix/submission/smtpd[17931]: disconnect from unknown[204.124.181.230]


    The offending IP address was 204.124.181.230. It was trying to guess username/password once/minute, had been running 1.5 days before it happened on a valid username and got that account locked.

    If you have a very busy server you might have more than one 'connect from' entry at the same time as the 'authentication failed'. In that case, note the 'connect' IPs, then find another 'authentication failed' entry and check the 'connect' IPs around it for a match.

    My solution was to block that IP address with iptables.

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. setting up email server with external web host
    By restorestore in forum Installation
    Replies: 2
    Last Post: 02-03-2012, 05:04 AM
  2. Failed to bind to LDAP server
    By tezarin in forum Administrators
    Replies: 4
    Last Post: 01-23-2012, 09:26 AM
  3. Mail Server with Multiple IP Addresses & Domains
    By cyberdeath in forum Administrators
    Replies: 0
    Last Post: 12-10-2011, 11:50 PM
  4. Replies: 13
    Last Post: 05-25-2011, 08:14 AM
  5. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •