Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: attacks via SOAP calls on server external ip

  1. #1
    leenewton is offline Starter Member
    Join Date
    Jul 2009
    Posts
    1
    Rep Power
    5

    Default attacks via SOAP calls on server external ip

    Hi guys, hoping someone can point me in the right direction. I'm seeing log entries like the following appear in /opt/zimba/log/mailbox.log

    2012-02-08 15:54:46,005 INFO [btpool0-95://mail.server.com:7071/service/admin/soap/] [name=lee@server.com;ip=xx.xx.xx.xx;] SoapEngine - handler exception: authentication failed for postmaster, invalid password

    Where xx.xx.xx.xx is the external ip of my zimbra server. It's my understanding, log entries from btpool are originated from zimbra's http interface. What confuses me is how the external ip of the server is getting in there. If this was a regular request via the zimbra admin web interface I would expect to see the remote ip address of the client. I see no evidence of intrusion on my server and these requests are circumventing apf firewall rules which restrict all access from beyond the external ip to a handful of remote addresses I've granted access to the zimbra web admin interface.

    What am I missing, how are these requests being formed?

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by leenewton View Post
    Hi guys, hoping someone can point me in the right direction.
    The right direction for (or to) what?

    Quote Originally Posted by leenewton View Post
    'm seeing log entries like the following appear in /opt/zimba/log/mailbox.log

    2012-02-08 15:54:46,005 INFO [btpool0-95://mail.server.com:7071/service/admin/soap/] [name=lee@server.com;ip=xx.xx.xx.xx;] SoapEngine - handler exception: authentication failed for postmaster, invalid password
    I guess you've implemented strong passwords?

    Quote Originally Posted by leenewton View Post
    Where xx.xx.xx.xx is the external ip of my zimbra server. It's my understanding, log entries from btpool are originated from zimbra's http interface.
    That would be https for the Admin UI although I guess you've also enabled https for the Web UI as well (you should)?

    Quote Originally Posted by leenewton View Post
    What confuses me is how the external ip of the server is getting in there. If this was a regular request via the zimbra admin web interface I would expect to see the remote ip address of the client. I see no evidence of intrusion on my server and these requests are circumventing apf firewall rules which restrict all access from beyond the external ip to a handful of remote addresses I've granted access to the zimbra web admin interface.
    You should really use a VPN to access the Admin UI from outside your LAN.

    Quote Originally Posted by leenewton View Post
    What am I missing, how are these requests being formed?
    I guess they're being formed by something that's attempting to get into your server. Is your server on a LAN or just a public IP?

    You should also update your forum profile with the output of the following command:

    Code:
    zmcontrol -v
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    det
    det is offline Active Member
    Join Date
    Jul 2009
    Location
    Singapore
    Posts
    36
    Rep Power
    5

    Default

    i encounter it too.

    for the same admin account. i get 2 diff. logs. how is the first log possible? why is it showing the mail server IP instead of the remote IP? there are multiple differences in the logs like:

    - /service/admin/soap/AuthRequest vs /service/admin/soap
    - ip of the zimbra server vs remote ip from where the zimbra server is being access from


    2012-03-21 06:00:08,305 WARN [btpool0-475://mail.thedomain.com.sg:7071/service/admin/soap/] [name=postmaster@thedomain.com.sg;ip=zimbra_mail_se rver_ip;] security - cmd=Auth; account=postmaster@thedomain.com.sg; protocol=soap; error=authentication failed for postmaster, invalid password;

    2012-03-22 11:13:39,002 WARN [btpool0-543://mail.thedomain.com.sg:7071/service/admin/soap/AuthRequest] [name=user2@thedomain.com.sg;ip=remote_ip;ua=Zimbra WebClient - FF3.0 (Mac);] security - cmd=AdminAuth; account=user2; error=authentication failed for user2;

  4. #4
    ivan78 is offline Junior Member
    Join Date
    Feb 2010
    Posts
    7
    Rep Power
    5

    Default

    Quote Originally Posted by leenewton View Post
    What am I missing, how are these requests being formed?
    Had the same problem.
    After some digging I found that these log entries are caused by SMTP authentication.

    Steps to reproduce:
    Code:
    ivan@nsk-eclipse:~> echo test_user | base64
    dGVzdF91c2VyCg==
    
    ivan@nsk-eclipse:~> telnet mail 25
    ehlo test
    auth login
    dGVzdF91c2VyCg==
    dGVzdF91c2VyCg==
    quit
    ivan@nsk-eclipse:~>
    Code:
    root@mail:~# grep test_user /opt/zimbra/log/mailbox.log 
    2012-10-31 05:05:00,625 INFO  [btpool0-975://mail.propertyminder.com:7071/service/admin/soap/] [ip=10.0.1.11;] SoapEngine - handler exception: authentication failed for [test_user], account not found
    
    root@mail:~# grep SASL /var/log/maillog | tail -1
    Oct 31 05:05:00 mail postfix/smtpd[13571]: warning: unknown[192.168.77.62]: SASL login authentication failed: authentication failure
    Bug report related to this problem: Bug 44120 - IP Address in server logs shows server ip on failed logins

  5. #5
    th13fp45s is offline Junior Member
    Join Date
    Mar 2011
    Location
    Brazil/Ceara
    Posts
    5
    Rep Power
    4

    Default

    Hi,

    I have the same problem here. The bug still open? There some way to identify the source from authetication failed?

    Regards,

  6. #6
    th13fp45s is offline Junior Member
    Join Date
    Mar 2011
    Location
    Brazil/Ceara
    Posts
    5
    Rep Power
    4

    Default

    I did the upgrade to Zimbra 8 and the problem persist, any news about this problem?

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by th13fp45s View Post
    I did the upgrade to Zimbra 8 and the problem persist, any news about this problem?
    This isn't a 'problem' or a 'bug' it's a normal failed login attempt. How do you think anyone can stop a failed login attempt? Have you also implemented strong passwords for your users? Have you also enabled https for web UI access? Have you also restricted internet access to your Admin UI port?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    th13fp45s is offline Junior Member
    Join Date
    Mar 2011
    Location
    Brazil/Ceara
    Posts
    5
    Rep Power
    4

    Default

    Hi phoenix,

    I think the bug is we dont know the source of the failed login. When this come via soap the origin is Zimbra local IP. All my users are with strong passwords and the admin is blocked from the Internet, but we dont have https on the webmail, do you think this will solve the problem?

  9. #9
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by th13fp45s View Post
    ..but we dont have https on the webmail, do you think this will solve the problem?
    No it won't solve the problem but it is good security practice to use a secure connection for your webmail.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    th13fp45s is offline Junior Member
    Join Date
    Mar 2011
    Location
    Brazil/Ceara
    Posts
    5
    Rep Power
    4

    Default

    Yeah, its true. So there's no way to know the origin from this failed authentication? Look what the zmaudit says:

    2014-02-07 09:08:49,247 WARN [qtp1097575009-253352:https://10.0.0.30:7071/service/admin/soap/] [name=ribafs@dnocs.gov.br;ip=10.0.0.30;] security - cmd=Auth; account=ribafs@dnocs.gov.br; protocol=soap; error=authentication failed for [ribafs], LDAP error: - unable to ldap authenticate: invalid credentials;

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. setting up email server with external web host
    By restorestore in forum Installation
    Replies: 2
    Last Post: 02-03-2012, 05:04 AM
  2. Failed to bind to LDAP server
    By tezarin in forum Administrators
    Replies: 4
    Last Post: 01-23-2012, 09:26 AM
  3. Mail Server with Multiple IP Addresses & Domains
    By cyberdeath in forum Administrators
    Replies: 0
    Last Post: 12-10-2011, 11:50 PM
  4. Replies: 13
    Last Post: 05-25-2011, 08:14 AM
  5. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •