Results 1 to 5 of 5

Thread: somebody intruded in to zimbra server

  1. #1
    yasanthau is offline Active Member
    Join Date
    Nov 2009
    Posts
    37
    Rep Power
    5

    Default somebody intruded in to zimbra server

    Dear All,

    I observed many login authentication failures on our zimbra (7) server log. It seems somebody has hacked into our server using some accounts with weak passwords. Now I have removed all such accounts. But still I see many failed login attempts to such accounts. After restricting out side access to server through a firewall also such attmpts are seen on the log. How can I find what process is doing this on the zimbra server. There are about 1000 login attempts for a day from several ip addresses. Following is what I see on the logs. Any help is greatly appreciated.

    Feb 16 00:29:06 mail postfix/smtpd[27709]: warning: 125.46.74.185: hostname hn.kd.ny.adsl verification failed: Name or service not k
    nown
    Feb 16 00:29:06 mail postfix/smtpd[27709]: connect from unknown[125.46.74.185]
    Feb 16 00:29:08 mail saslauthd[11351]: zmauth: authenticating against elected url 'https://mail.domain.com:7071/service/admin/so
    ap/' ...
    Feb 16 00:29:08 mail saslauthd[11351]: zmpost: url='https://mail.domain.com:7071/service/admin/soap/' returned buffer->data='<so
    ap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body>
    <soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [yasantha]<
    /soap:Text></soap:Reason><soapetail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>com.zimbra.cs.account.Account
    ServiceException$AuthFailedServiceException: authentication failed for [yasantha] ExceptionId:btpool0-19://mail.domain.com:7071/
    service/admin/soap/:1329332348772:0eed82007f864a24 Code:account.AUTH_FAILED at com.zimbra.cs.account.AccountServiceException$Aut
    hFailedServiceException.AUTH_FAILED(AccountService Exception.java:130) at com.zimbra.cs.account.AccountServiceException$Auth FailedS
    erviceException.AUTH_FAILED(AccountServiceExceptio n.java:126) at com.zimbra.cs.account.auth.AuthMechan
    Feb 16 00:29:08 mail saslauthd[11351]: auth_zimbra: yasantha auth failed: authentication failed for [yasantha]
    Feb 16 00:29:08 mail saslauthd[11351]: do_auth : auth failure: [user=yasantha] [service=smtp] [realm=] [mech=zimbra] [reason
    =Unknown]
    Feb 16 00:29:08 mail postfix/smtpd[27709]: warning: unknown[125.46.74.185]: SASL LOGIN authentication failed: authentication failure
    Feb 16 00:29:09 mail postfix/smtpd[27709]: lost connection after AUTH from unknown[125.46.74.185]
    Feb 16 00:29:09 mail postfix/smtpd[27709]: disconnect from unknown[125.46.74.185]

  2. #2
    Eclipse is offline Senior Member
    Join Date
    Jun 2011
    Posts
    73
    Rep Power
    3

    Default

    It looks like someone is brute forcing your admin login, remove access to port 7071 from the internet and make it accessible only from the local lan requiring VPN access....

  3. #3
    yasanthau is offline Active Member
    Join Date
    Nov 2009
    Posts
    37
    Rep Power
    5

    Default

    Thank you very much for the post. I have already done so. Now no body can access the server from the port 7071. It is allowed only for localhost and one other LAN IP. But still that attack is going on. It seems some robot is running internally. How can I identify this and neutralize this?

    When 7071 is blocked for localhost (server) ips, normal emails are also getting disturbed. Is there any relavance in authenticating normal users also with that port?

  4. #4
    Yves Pires is offline Active Member
    Join Date
    Jun 2011
    Posts
    48
    Rep Power
    3

    Default

    Quote Originally Posted by yasanthau View Post
    Thank you very much for the post. I have already done so. Now no body can access the server from the port 7071. It is allowed only for localhost and one other LAN IP. But still that attack is going on. It seems some robot is running internally. How can I identify this and neutralize this?

    When 7071 is blocked for localhost (server) ips, normal emails are also getting disturbed. Is there any relavance in authenticating normal users also with that port?
    nop, leave 7071 open for LAN only

    you can install fail2ban to monitor and ban ips trying to brute force your accounts

    Succesfull hacking attempts on Zimbra mailboxes (webmail)

    Zimbra: fail2ban | Linux/MS/Xen/Samba/Nagios/Zimbra/Iptables Tips

    Fail2Ban with Zimbra » » Signalboxes

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by yasanthau View Post
    Thank you very much for the post. I have already done so. Now no body can access the server from the port 7071. It is allowed only for localhost and one other LAN IP. But still that attack is going on. It seems some robot is running internally. How can I identify this and neutralize this?
    How have you determined that a bot internal to your LAN is running this 'attack'? The IP that's shown in your log output is not a LAN IP.

    Quote Originally Posted by yasanthau View Post
    When 7071 is blocked for localhost (server) ips, normal emails are also getting disturbed. Is there any relavance in authenticating normal users also with that port?
    That port has nothing to do with user authentication, it's used solely for access to the Admin UI.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. What to clean on a Zimbra mail server?
    By tezarin in forum Administrators
    Replies: 11
    Last Post: 12-16-2011, 12:43 PM
  2. ZCS7 Beta only Listens on IPv6
    By tobru in forum Installation
    Replies: 2
    Last Post: 03-25-2011, 03:31 AM
  3. Did I miss something? (Zimbra GA 6.0.8 on Ubuntu 10.04)
    By vpetersson in forum Installation
    Replies: 2
    Last Post: 10-26-2010, 06:29 AM
  4. My Zimbra Server crashed this morning...
    By glitch23 in forum Administrators
    Replies: 3
    Last Post: 04-07-2008, 01:28 PM
  5. 3.1 on FC4 problems
    By cohnhead in forum Installation
    Replies: 8
    Last Post: 05-26-2006, 11:16 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •