Tracking down source of account lockouts (2024)

Post Reply

  • Print view

9 posts• Page 1 of 1

rsaeks
Advanced member
Tracking down source of account lockouts (1)
Posts: 53
Joined: Sat Sep 13, 2014 3:03 am
ZCS/ZD Version: Release 8.8.11_GA_3737.RHEL7_64_201

Tracking down source of account lockouts

  • Quote

Postby rsaeks »

Hi all,
We've recently been faced with an issue where we have people attempting to guess user account passwords and therefore locking out legitimate accounts. The lockout has been working and preventing access. To work around this I've spent some time consolidating our mailbox.log and audit.log files into a searchable syslog server (through vmware log insight) and have been able to pull together data from those log files about the number of invalid password attempts, number of lockouts, number of invalid account attempts and a breakdown of invalid password attempts group by user. (I've attached a screenshot of that in case anyone is interested) There are also notification rules setup from the log monitoring system where generally within 2 minutes of an account lockout we receive an E-Mail notification.
What we are now wondering is how we can track down the source of the attempts. We've found that when attempting to connect via IMAP or SMTP the source IP address appears, but most of the invalid password attempts that are causing issues are through SOAP. What we are able to see during the times are entries like the following:

2016-02-24 19:26:02,593 WARN [qtp1480581246-137387:https://192.168.40.8:7071/service/admin/soap/] [name=USERNAME@DOMAIN;ip=192.168.40.8;] security - cmd=Auth; account=USERNAME@DOMAIN; protocol=soap; error=authentication failed for [USERNAME@DOMAIN], invalid password;
2016-02-24 15:32:30,406 WARN [qtp1480581246-133399:https://192.168.40.8:7071/service/admin/soap/] [name=USERNAME@DOMAIN;ip=192.168.40.8;] security - cmd=Auth; account=USERNAME@DOMAIN; protocol=soap; error=authentication failed for [USERNAME@DOMAIN], account lockout;
The account lockouts / invalid passwords never seem to show a source IP address. Are there any other log files we might be able to use to try and locate that information? Is there some logging we might be able to increase to find out the IP address so we can possible look to block that in some manner?

Thanks for any insight!

Top

jorgedlcruz
Zimbra Alumni
Tracking down source of account lockouts (3)
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Tracking down source of account lockouts

  • Quote

Postby jorgedlcruz »

Hi rsaeks,

This is a great Forum post, thank you. What you have been done with VMware LogInsight it's pretty cool, did you follow the Wiki to implement it? https://wiki.zimbra.com/wiki/Centralize ... og_Insight

Well, back to your post, you can always increase the level of the log to Debug, but be careful because the size and the amount of data you will have during DEBUG - https://wiki.zimbra.com/wiki/Using_log4 ... xd_Logging

Let us know if you are able to see more information in DEBUG

Best regards

Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/

Top

howanitz
Advanced member
Tracking down source of account lockouts (5)
Posts: 65
Joined: Mon Feb 01, 2016 9:27 am

Tracking down source of account lockouts

  • Quote

Postby howanitz »

This is something I have had to deal with, although the majority of cases here have /not/ been attempts through SOAP, so most the time I have been able to track down the ip address easily. I hope this is not a trend, and would like to hear a better answer also. Maybe we need to request a change in logging.

I have a simple script to monitor and alert me when an account goes into lockout mode, I have posted it here:

https://community.zimbra.com/collaborat ... /t/1141135

I don't think it will be of use to you, since your monitoring system is more sophisticated, but I mention it should it be useful to others. (It does alert almost immediately.) It monitors /opt/zimbra/log/audit.log as yours does.

Top

rsaeks
Advanced member
Tracking down source of account lockouts (6)
Posts: 53
Joined: Sat Sep 13, 2014 3:03 am
ZCS/ZD Version: Release 8.8.11_GA_3737.RHEL7_64_201

Tracking down source of account lockouts

  • Quote

Postby rsaeks »

Thanks for the replies. I was looking at changing the debug levels a bit then them stumbled across this post:

http://community.zimbra.com/collaborati ... /t/1136676

Running: zmlocalconfig zimbra_http_originating_ip_header

my output states this is a null value key

Running: zmprov gcf zimbraMailTrustedIP returns nothing

It sounds like setting those values may add in the oip item into the requests. Would that be the private IP of the server, 127.0.0.1 and our pre-zimbra archiving solution private IP? I can post back my results.

Top

howanitz
Advanced member
Tracking down source of account lockouts (8)
Posts: 65
Joined: Mon Feb 01, 2016 9:27 am

Tracking down source of account lockouts

  • Quote

Postby howanitz »

Looks like this would give us the correct oip for soap logins from his report - have not tried it myself yet:

https://community.zimbra.com/collaborat ... 42#1589542

zmprov mcf +zimbraMailTrustedIP 192.168.5.3

zmmailboxdctl restart

Top

rsaeks
Advanced member
Tracking down source of account lockouts (9)
Posts: 53
Joined: Sat Sep 13, 2014 3:03 am
ZCS/ZD Version: Release 8.8.11_GA_3737.RHEL7_64_201

Tracking down source of account lockouts

  • Quote

Postby rsaeks »

Keith - Thanks for that information! We went ahead and made the change and at that point began to see the oip field popping in for those accessing email through the web.

Since a majority of our users access Zimbra through the web interface we were able to layer in a tcpdump on the server looking at port 25 and 587 originating outside our private IP block and take the capture data into wireshark to get some analysis and visibility into the incoming connections that were causing issue and blocking those blocks on our firewall.

tcpdump -vv -X -x -s 1500 -i eth0 'src net !192.168.0.0/16 and (port 25 or 587)' -w /opt/zimbra/smtpcapture.pcap

Top

liverpoolfcfan
Elite member
Tracking down source of account lockouts (10)
Posts: 1132
Joined: Sat Sep 13, 2014 12:47 am

Tracking down source of account lockouts

  • Quote

Postby liverpoolfcfan »

You can also use fail2ban or your own scripts to monitor the /var/log/zimbra.log file - smtpd authorization failures are logged there. The following regex is what I use in the configuration file.

failregex = .*[<HOST>]: SASL PLAIN authentication failed: authentication failure

Top

jasggomes
Advanced member
Tracking down source of account lockouts (12)
Posts: 90
Joined: Sat Sep 13, 2014 12:59 am
Location: Lisbon, PT
ZCS/ZD Version: Release 8.7.11.GA.1854.UBUNTU14.64
Contact:

Contact jasggomes

WebsiteSkype

Re: Tracking down source of account lockouts

  • Quote

Postby jasggomes »

Hi everyone,

Actually I got one user guessed password, and that make a mess...

SO, does anyone have a good script to monitor the locked accounts and send an email to admin to alert it? The one's mentioned above are no longer available.

I'm not using Vmware anymore, we moved to Hyper-v free one year ago ... maybe i switch it back ...

But for now I'm dealing with the aftermath of this mess.

Thanks in advance.

JG

Top

zimico
Outstanding Member
Tracking down source of account lockouts (14)
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Contact zimico

Re: Tracking down source of account lockouts

  • Quote

Postby zimico »

Dear JG,
You can use zmauditswatch to email to if there is any account is locked out.
https://wiki.zimbra.com/wiki/Zmauditswatch
Just one of my issue is I can not activate it in boot event using systemd and init.d
Regards,
Minh.

Top

Post Reply

  • Print view

9 posts• Page 1 of 1

Return to “Administrators”

Jump to

  • Zimbra Collaboration Server
  • ↳ Administrators
  • ↳ Installation and Upgrade
  • ↳ Migration
  • ↳ Virtualization
  • ↳ Developers
  • ↳ Zimlets
  • ↳ Users
  • ↳ Zimbra Connector for Outlook
  • ↳ Zimbra Connector for Blackberry
  • ↳ CalDAV / CardDAV / iSync
  • ↳ Zimbra Collaboration 8.8 Beta
  • ↳ Mobility
  • ↳ Zimbra Talk
  • ↳ Universal UI
  • ↳ Zimbra Chat
  • ↳ Zimbra Drive
  • Zimbra Suite Plus
  • ↳ Installation and Upgrade
  • ↳ Zimbra Admin Plus
  • ↳ Zimbra Backup Plus
  • ↳ Zimbra HSM Plus
  • ↳ Zimbra Mobile Plus
  • Zimbra Desktop
  • ↳ General Questions
  • ↳ Error Reports
  • ↳ Installation Help
  • ↳ Zimbra Desktop Beta/RC
  • General Zimbra
  • ↳ General Zimbra Feedback
  • ↳ Announcements
  • ↳ Community News
  • ↳ Zimbra Success Stories
  • Portability
  • ↳ BSD
  • Other
  • ↳ /etc
  • ↳ International
  • ↳ I18N/L10N - Translations
  • ↳ Русский язык-фор
  • ↳ French
  • ↳ Italian
  • ↳ German
  • ↳ Spanish
  • ↳ Scandinavian
  • ↳ Portuguese
Tracking down source of account lockouts (2024)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Duncan Muller

Last Updated:

Views: 6383

Rating: 4.9 / 5 (59 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Duncan Muller

Birthday: 1997-01-13

Address: Apt. 505 914 Phillip Crossroad, O'Konborough, NV 62411

Phone: +8555305800947

Job: Construction Agent

Hobby: Shopping, Table tennis, Snowboarding, Rafting, Motor sports, Homebrewing, Taxidermy

Introduction: My name is Duncan Muller, I am a enchanting, good, gentle, modern, tasty, nice, elegant person who loves writing and wants to share my knowledge and understanding with you.