Results 1 to 7 of 7

Thread: Admin account lockout.

  1. #1
    jpb
    jpb is offline New Member
    Join Date
    May 2013
    Posts
    4
    Rep Power
    1

    Default Admin account lockout.

    Hi,

    It all started when I was informed that an admin account was inaccessible, and upon checking, the admin account appeared to be in 'lockout' status. I changed the status to 'active', saved it and all was well, but only for a while when I received the same complain again.

    I did the same step as described again, and at the same time I tailed the audit.log. Immediately after activating the admin account, a numerous failed attempts to login have been logged, which led the account to be locked out again. I have been searching on the net for a fix but failed to find anything that works. I am new to zimbra, and I may have overlooked on some things (logs, settings).

    Excerpt from audit.log:
    Code:
    2013-05-15 12:57:41,028 WARN  [btpool0-36656://mail.abc.com:7071/service/admin/soap/] [name=admin@abc.com;ip=x.x.x.x;] security - cmd=Auth; account=admin@abc.com; protocol=soap; error=authentication failed for [admin], invalid password;
    2013-05-15 12:57:41,028 WARN  [btpool0-36652://mail.abc.com:7071/service/admin/soap/] [name=admin@abc.com;ip=x.x.x.x;] security - cmd=Auth; account=admin@abc.com; protocol=soap; error=authentication failed for [admin], invalid password;
    2013-05-15 12:57:52,481 WARN  [btpool0-36656://mail.abc.com:7071/service/admin/soap/] [name=admin@abc.com;ip=x.x.x.x;] security - cmd=Auth; account=admin@abc.com; protocol=soap; error=authentication failed for [admin], invalid password;
    2013-05-15 12:57:52,594 WARN  [btpool0-36656://mail.abc.com:7071/service/admin/soap/] [name=admin@abc.com;ip=x.x.x.x;] security - cmd=Auth; account=admin@abc.com; protocol=soap; error=authentication failed for [admin], invalid password;
    2013-05-15 12:57:55,765 WARN  [btpool0-36652://mail.abc.com:7071/service/admin/soap/] [name=admin@abc.com;ip=x.x.x.x;] security - cmd=Auth; account=admin@abc.com; protocol=soap; error=authentication failed for [admin], invalid password;
    2013-05-15 12:57:55,804 INFO  [btpool0-36652://mail.abc.com:7071/service/admin/soap/] [name=admin@abc.com;ip=x.x.x.x;] security - cmd=Auth; account=admin@abc.com; error=account lockout due to too many failed logins;
    2013-05-15 12:57:55,851 WARN  [btpool0-36652://mail.abc.com:7071/service/admin/soap/] [name=admin@abc.com;ip=x.x.x.x;] security - cmd=Auth; account=admin@abc.com; protocol=soap; error=authentication failed for [admin], invalid password;
    2013-05-15 12:57:56,274 WARN  [btpool0-36656://mail.abc.com:7071/service/admin/soap/] [name=admin@abc.com;ip=x.x.x.x;] security - cmd=Auth; account=admin@abc.com; protocol=soap; error=authentication failed for [admin], account lockout;
    2013-05-15 12:57:56,274 WARN  [btpool0-36652://mail.abc.com:7071/service/admin/soap/] [name=admin@abc.com;ip=x.x.x.x;] security - cmd=Auth; account=admin@abc.com; protocol=soap; error=authentication failed for [admin], account lockout;
    Code:
    zmcontrol -v
    Release 7.2.0_GA_2669.RHEL6_64_20120410002025 CentOS6_64 FOSS edition.
    OS: CentOS release 6.3 (Final)


    Thanks.

  2. #2
    lytledd is offline Elite Member
    Join Date
    Dec 2009
    Location
    Michigan
    Posts
    440
    Rep Power
    5

    Default

    Port 7071 should not be accessible from the internet. If you have remote admins, they should be accessing this via a VPN. May I suggest OpenVPN.

    If that's not an option, may I suggest only allowing certain IP addresses access to port 7071 and block everybody else.

    Doug
    Ben Franklin quote:

    "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

  3. #3
    jpb
    jpb is offline New Member
    Join Date
    May 2013
    Posts
    4
    Rep Power
    1

    Default

    Quote Originally Posted by lytledd View Post
    Port 7071 should not be accessible from the internet. If you have remote admins, they should be accessing this via a VPN. May I suggest OpenVPN.

    If that's not an option, may I suggest only allowing certain IP addresses access to port 7071 and block everybody else.

    Doug
    Port 7071 isn't accessible from the outside. I can't figure out what triggers all the attempts. The logs only shows the IP of the mail server itself (ip x.x.x.x is the mail server IP address). All I can think of is to change the email to something else.

    From the access log during the login attempts:

    Code:
    x.x.x.x -  -  [16/May/2013:01:30:23 +0000] "POST /service/admin/soap/ HTTP/1.1" 500 531 "-" "-" 
    x.x.x.x -  -  [16/May/2013:01:30:24 +0000] "POST /service/admin/soap/ HTTP/1.1" 500 531 "-" "-" 
    x.x.x.x -  -  [16/May/2013:01:30:24 +0000] "POST /service/admin/soap/ HTTP/1.1" 500 531 "-" "-" 
    x.x.x.x -  -  [16/May/2013:01:30:24 +0000] "POST /service/admin/soap/ HTTP/1.1" 500 531 "-" "-" 
    x.x.x.x -  -  [16/May/2013:01:30:24 +0000] "POST /service/admin/soap/ HTTP/1.1" 500 531 "-" "-" 
    x.x.x.x -  -  [16/May/2013:01:30:24 +0000] "POST /service/admin/soap/ HTTP/1.1" 500 531 "-" "-" 
    x.x.x.x -  -  [16/May/2013:01:30:24 +0000] "POST /service/admin/soap/ HTTP/1.1" 500 531 "-" "-" 
    x.x.x.x -  -  [16/May/2013:01:30:24 +0000] "POST /service/admin/soap/ HTTP/1.1" 500 531 "-" "-" 
    x.x.x.x -  -  [16/May/2013:01:30:24 +0000] "POST /service/admin/soap/ HTTP/1.1" 500 531 "-" "-" 
    x.x.x.x -  -  [16/May/2013:01:30:24 +0000] "POST /service/admin/soap/ HTTP/1.1" 500 531 "-" "-"
    where x.x.x.x is the mail server IP (same as the first post).

  4. #4
    jpb
    jpb is offline New Member
    Join Date
    May 2013
    Posts
    4
    Rep Power
    1

    Default

    Sorry, my bad. Port 7071 is opened to public. Just figured out from the system log.

    /var/log/messages:

    Code:
    May 16 10:35:11 mailserver postfix/smtpd[31461]: connect from unknown[y.y.y.y]
    May 16 10:35:11 mailserver postfix/smtpd[31461]: warning: unknown[y.y.y.y]: SASL LOGIN authentication failed: authentication failure
    May 16 10:35:11 mailserver postfix/smtpd[31461]: warning: SASL authentication failure: Password verification failed
    May 16 10:35:11 mailserver postfix/smtpd[31461]: warning: unknown[y.y.y.y]: SASL PLAIN authentication failed: authentication failure
    May 16 10:35:12 mailserver postfix/smtpd[21246]: warning: y.y.y.y: address not listed for hostname mail.abc.com
    May 16 10:35:12 mailserver postfix/smtpd[21246]: connect from unknown[y.y.y.y]
    May 16 10:35:12 mailserver postfix/smtpd[21246]: warning: unknown[y.y.y.y]: SASL LOGIN authentication failed: authentication failure
    May 16 10:35:12 mailserver postfix/smtpd[21246]: warning: SASL authentication failure: Password verification failed
    May 16 10:35:12 mailserver postfix/smtpd[21246]: warning: unknown[y.y.y.y]: SASL PLAIN authentication failed: authentication failure
    May 16 10:35:12 mailserver postfix/smtpd[21242]: lost connection after RSET from unknown[y.y.y.y]
    May 16 10:35:12 mailserver postfix/smtpd[21242]: disconnect from unknown[y.y.y.y]
    where y.y.y.y is the mail server public IP address.

  5. #5
    glennbtn is offline Loyal Member
    Join Date
    Dec 2009
    Location
    Worthing. UK
    Posts
    93
    Rep Power
    5

    Default

    Can I suggest installing something like fail2ban or ossec you so ban the ip from more attemps

  6. #6
    jpb
    jpb is offline New Member
    Join Date
    May 2013
    Posts
    4
    Rep Power
    1

    Default

    Quote Originally Posted by glennbtn View Post
    Can I suggest installing something like fail2ban or ossec you so ban the ip from more attemps
    Thought of that, but I was wondering how do I ban the IP when I can't even figure out what the IP is from the logs? Sorry I have not used either of the mentioned tools before, is it possible for me to just configure them to automatically ban the IP?

  7. #7
    glennbtn is offline Loyal Member
    Join Date
    Dec 2009
    Location
    Worthing. UK
    Posts
    93
    Rep Power
    5

    Default

    Ossec will block the ip for you.

    Here is a link to install ossec Securing Your Server With A Host-based Intrusion Detection System | HowtoForge - Linux Howtos and Tutorials

    Here is a guide to setting up some rules for zimbra and ossec OSSEC Rules

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Account lockout costantly
    By Fr0ggy in forum Administrators
    Replies: 4
    Last Post: 04-17-2012, 11:52 PM
  2. Replies: 1
    Last Post: 09-06-2011, 03:02 PM
  3. [SOLVED] Admin account - brute force attempts? Lockout?
    By billinvegas in forum Administrators
    Replies: 2
    Last Post: 06-29-2011, 04:32 PM
  4. Account Lockout Message?
    By i2ambler in forum Administrators
    Replies: 1
    Last Post: 01-20-2011, 03:17 PM
  5. Account Lockout: How to find IP address of soap - AuthRequest
    By spikehardin in forum Administrators
    Replies: 17
    Last Post: 03-18-2010, 02:09 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •