Post Reply
- Print view
9 posts• Page 1 of 1
- rsaeks
- Advanced member
- Posts: 53
- Joined: Sat Sep 13, 2014 3:03 am
- ZCS/ZD Version: Release 8.8.11_GA_3737.RHEL7_64_201
Tracking down source of account lockouts
- Quote
Postby rsaeks »
Hi all,
We've recently been faced with an issue where we have people attempting to guess user account passwords and therefore locking out legitimate accounts. The lockout has been working and preventing access. To work around this I've spent some time consolidating our mailbox.log and audit.log files into a searchable syslog server (through vmware log insight) and have been able to pull together data from those log files about the number of invalid password attempts, number of lockouts, number of invalid account attempts and a breakdown of invalid password attempts group by user. (I've attached a screenshot of that in case anyone is interested) There are also notification rules setup from the log monitoring system where generally within 2 minutes of an account lockout we receive an E-Mail notification.
What we are now wondering is how we can track down the source of the attempts. We've found that when attempting to connect via IMAP or SMTP the source IP address appears, but most of the invalid password attempts that are causing issues are through SOAP. What we are able to see during the times are entries like the following:
2016-02-24 19:26:02,593 WARN [qtp1480581246-137387:https://192.168.40.8:7071/service/admin/soap/] [name=USERNAME@DOMAIN;ip=192.168.40.8;] security - cmd=Auth; account=USERNAME@DOMAIN; protocol=soap; error=authentication failed for [USERNAME@DOMAIN], invalid password;
2016-02-24 15:32:30,406 WARN [qtp1480581246-133399:https://192.168.40.8:7071/service/admin/soap/] [name=USERNAME@DOMAIN;ip=192.168.40.8;] security - cmd=Auth; account=USERNAME@DOMAIN; protocol=soap; error=authentication failed for [USERNAME@DOMAIN], account lockout;
The account lockouts / invalid passwords never seem to show a source IP address. Are there any other log files we might be able to use to try and locate that information? Is there some logging we might be able to increase to find out the IP address so we can possible look to block that in some manner?
Thanks for any insight!
Top
jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Tracking down source of account lockouts
- Quote
Postby jorgedlcruz »
Hi rsaeks,
This is a great Forum post, thank you. What you have been done with VMware LogInsight it's pretty cool, did you follow the Wiki to implement it? https://wiki.zimbra.com/wiki/Centralize ... og_Insight
Well, back to your post, you can always increase the level of the log to Debug, but be careful because the size and the amount of data you will have during DEBUG - https://wiki.zimbra.com/wiki/Using_log4 ... xd_Logging
Let us know if you are able to see more information in DEBUG
Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Top
howanitz
- Advanced member
- Posts: 65
- Joined: Mon Feb 01, 2016 9:27 am
Tracking down source of account lockouts
- Quote
Postby howanitz »
This is something I have had to deal with, although the majority of cases here have /not/ been attempts through SOAP, so most the time I have been able to track down the ip address easily. I hope this is not a trend, and would like to hear a better answer also. Maybe we need to request a change in logging.
I have a simple script to monitor and alert me when an account goes into lockout mode, I have posted it here:
https://community.zimbra.com/collaborat ... /t/1141135
I don't think it will be of use to you, since your monitoring system is more sophisticated, but I mention it should it be useful to others. (It does alert almost immediately.) It monitors /opt/zimbra/log/audit.log as yours does.
Top
- rsaeks
- Advanced member
- Posts: 53
- Joined: Sat Sep 13, 2014 3:03 am
- ZCS/ZD Version: Release 8.8.11_GA_3737.RHEL7_64_201
Tracking down source of account lockouts
- Quote
Postby rsaeks »
Thanks for the replies. I was looking at changing the debug levels a bit then them stumbled across this post:
http://community.zimbra.com/collaborati ... /t/1136676
Running: zmlocalconfig zimbra_http_originating_ip_header
my output states this is a null value key
Running: zmprov gcf zimbraMailTrustedIP returns nothing
It sounds like setting those values may add in the oip item into the requests. Would that be the private IP of the server, 127.0.0.1 and our pre-zimbra archiving solution private IP? I can post back my results.
Top
howanitz
- Advanced member
- Posts: 65
- Joined: Mon Feb 01, 2016 9:27 am
Tracking down source of account lockouts
- Quote
Postby howanitz »
Looks like this would give us the correct oip for soap logins from his report - have not tried it myself yet:
https://community.zimbra.com/collaborat ... 42#1589542
zmprov mcf +zimbraMailTrustedIP 192.168.5.3
zmmailboxdctl restart
Top
- rsaeks
- Advanced member
- Posts: 53
- Joined: Sat Sep 13, 2014 3:03 am
- ZCS/ZD Version: Release 8.8.11_GA_3737.RHEL7_64_201
Tracking down source of account lockouts
- Quote
Postby rsaeks »
Keith - Thanks for that information! We went ahead and made the change and at that point began to see the oip field popping in for those accessing email through the web.
Since a majority of our users access Zimbra through the web interface we were able to layer in a tcpdump on the server looking at port 25 and 587 originating outside our private IP block and take the capture data into wireshark to get some analysis and visibility into the incoming connections that were causing issue and blocking those blocks on our firewall.
tcpdump -vv -X -x -s 1500 -i eth0 'src net !192.168.0.0/16 and (port 25 or 587)' -w /opt/zimbra/smtpcapture.pcap
Top
- liverpoolfcfan
- Elite member
- Posts: 1132
- Joined: Sat Sep 13, 2014 12:47 am
Tracking down source of account lockouts
- Quote
Postby liverpoolfcfan »
You can also use fail2ban or your own scripts to monitor the /var/log/zimbra.log file - smtpd authorization failures are logged there. The following regex is what I use in the configuration file.
failregex = .*[<HOST>]: SASL PLAIN authentication failed: authentication failure
Top
jasggomes
- Advanced member
- Posts: 90
- Joined: Sat Sep 13, 2014 12:59 am
- Location: Lisbon, PT
- ZCS/ZD Version: Release 8.7.11.GA.1854.UBUNTU14.64
- Contact:
Contact jasggomes
WebsiteSkype
Re: Tracking down source of account lockouts
- Quote
Postby jasggomes »
Hi everyone,
Actually I got one user guessed password, and that make a mess...
SO, does anyone have a good script to monitor the locked accounts and send an email to admin to alert it? The one's mentioned above are no longer available.
I'm not using Vmware anymore, we moved to Hyper-v free one year ago ... maybe i switch it back ...
But for now I'm dealing with the aftermath of this mess.
Thanks in advance.
JG
Top
zimico
- Outstanding Member
- Posts: 225
- Joined: Mon Nov 14, 2016 8:03 am
- Location: Vietnam
- ZCS/ZD Version: 8.8.15 P3
- Contact:
Contact zimico
Re: Tracking down source of account lockouts
- Quote
Postby zimico »
Dear JG,
You can use zmauditswatch to email to if there is any account is locked out.
https://wiki.zimbra.com/wiki/Zmauditswatch
Just one of my issue is I can not activate it in boot event using systemd and init.d
Regards,
Minh.
Top
Post Reply
- Print view
9 posts• Page 1 of 1
Return to “Administrators”
Jump to
- Zimbra Collaboration Server
- ↳ Administrators
- ↳ Installation and Upgrade
- ↳ Migration
- ↳ Virtualization
- ↳ Developers
- ↳ Zimlets
- ↳ Users
- ↳ Zimbra Connector for Outlook
- ↳ Zimbra Connector for Blackberry
- ↳ CalDAV / CardDAV / iSync
- ↳ Zimbra Collaboration 8.8 Beta
- ↳ Mobility
- ↳ Zimbra Talk
- ↳ Universal UI
- ↳ Zimbra Chat
- ↳ Zimbra Drive
- Zimbra Suite Plus
- ↳ Installation and Upgrade
- ↳ Zimbra Admin Plus
- ↳ Zimbra Backup Plus
- ↳ Zimbra HSM Plus
- ↳ Zimbra Mobile Plus
- Zimbra Desktop
- ↳ General Questions
- ↳ Error Reports
- ↳ Installation Help
- ↳ Zimbra Desktop Beta/RC
- General Zimbra
- ↳ General Zimbra Feedback
- ↳ Announcements
- ↳ Community News
- ↳ Zimbra Success Stories
- Portability
- ↳ BSD
- Other
- ↳ /etc
- ↳ International
- ↳ I18N/L10N - Translations
- ↳ Русский язык-фор
- ↳ French
- ↳ Italian
- ↳ German
- ↳ Spanish
- ↳ Scandinavian
- ↳ Portuguese