ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Malicious Logins To Zimbra Mail Server

    Scheduled Pinned Locked Moved IT Discussion
    53 Posts 9 Posters 12.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      StorageNinja Vendor
      last edited by StorageNinja

      You have a front-facing service that has a login prompt. Random automated login attempts are just part of life. What can you do?

      1. Setup Fail2Ban. (Smart botnets split the load across lots of IP's).

      2. ~Geo Blocking~ useless, as bots are all over the place (many in the US)

      3. Double Check your password policy (make sure they can't use easily guessable passwords).

      4. If you actually have users with highly valuable data in their email, force MDM agents on their mobile devices, if they want to use mobile access Exchange, can be configured to do this. Alternative use a whitelist for remote/mobile devices (Exchange 2010 on has a ActiveSync device quarantine options where devices even if they can authenticate don't get email till you approve them).

      5. I've seen it done with AirWatch so only Boxer as a mail client will work as it has a device-specific VPN.

      6. Disable unneeded and insecure protocols. IMAP and POP3 shouldn't be externally facing it's 2017...

      Lastly, who still uses Zimbra? We used to own it, but now just use O365 (and have Microsoft's billion dollars of security spending and IDS in front of it).

      anthonyhA scottalanmillerS 4 Replies Last reply Reply Quote 4
      • anthonyhA
        anthonyh
        last edited by

        If you're curious, here is a sample of the login failures via /opt/zimbra/log/audit.log

        https://pastebin.com/NDU7UM0R

        I also added this to the original post.

        1 Reply Last reply Reply Quote 0
        • anthonyhA
          anthonyh @StorageNinja
          last edited by anthonyh

          @storageninja said in Malicious Logins To Zimbra Mail Server:

          Lastly, who still uses Zimbra? We used to own it, but now just use O365 (and have Microsoft's billion dollars of security spending and IDS in front of it).

          Obviously you have no need to be in this thread, then. I'm looking for suggestions on mitigating my existing services from the current threat. Not, "who uses this crap these days?" 🙂

          1 Reply Last reply Reply Quote 2
          • stacksofplatesS
            stacksofplates
            last edited by

            As @StorageNinja said, there is really no way to stop this. If they're smart enough to throttle attempts, they're smart enough to set up bots to do this. Blocking IPs won't do anything. 2FA is the best way to handle it. Certs on the devices, OTPs, etc.

            1 Reply Last reply Reply Quote 2
            • scottalanmillerS
              scottalanmiller @DustinB3403
              last edited by

              @dustinb3403 said in Malicious Logins To Zimbra Mail Server:

              2FA is likely the best approach, and the most simple to manage.

              No, not having public access at all is the "best" approach from a security standpoint.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @coliver
                last edited by

                @coliver said in Malicious Logins To Zimbra Mail Server:

                Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

                I agree, we always use that.

                anthonyhA 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @anthonyh
                  last edited by

                  @anthonyh said in Malicious Logins To Zimbra Mail Server:

                  @coliver said in Malicious Logins To Zimbra Mail Server:

                  Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

                  Yes, but the way these attempts are formed it would take days for an IP to even be considered to be blocked. Our users fat-finger their passwords much quicker than that :-D, so I think it would block our users more than the bad guy. I would need to set the failed time frame to like a week in order for it to be useful.

                  Is this attack over SSH or IMAP or web?

                  anthonyhA 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @StorageNinja
                    last edited by

                    @storageninja said in Malicious Logins To Zimbra Mail Server:

                    1. ~Geo Blocking~ useless, as bots are all over the place (many in the US)

                    And it isn't accurate. I get detected as the wrong country almost 100% of the time. Something about people on Frontier's FiOS show up as Toronto.

                    1 Reply Last reply Reply Quote 0
                    • anthonyhA
                      anthonyh @scottalanmiller
                      last edited by

                      @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                      @coliver said in Malicious Logins To Zimbra Mail Server:

                      Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

                      I agree, we always use that.

                      Well, I wasn't saying not to use it. I was saying that I don't think it would be effective in this scenario.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @StorageNinja
                        last edited by

                        @storageninja said in Malicious Logins To Zimbra Mail Server:

                        Lastly, who still uses Zimbra? We used to own it, but now just use O365 (and have Microsoft's billion dollars of security spending and IDS in front of it).

                        Actually find it better than O365. We use it and the more we use it, the more we stop using O365. Faster, easier, more accurate.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @anthonyh
                          last edited by

                          @anthonyh said in Malicious Logins To Zimbra Mail Server:

                          @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                          @coliver said in Malicious Logins To Zimbra Mail Server:

                          Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

                          I agree, we always use that.

                          Well, I wasn't saying not to use it. I was saying that I don't think it would be effective in this scenario.

                          Still, start with it. At least let it do its jobs in that regard.

                          1 Reply Last reply Reply Quote 1
                          • anthonyhA
                            anthonyh @scottalanmiller
                            last edited by

                            @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                            @anthonyh said in Malicious Logins To Zimbra Mail Server:

                            @coliver said in Malicious Logins To Zimbra Mail Server:

                            Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

                            Yes, but the way these attempts are formed it would take days for an IP to even be considered to be blocked. Our users fat-finger their passwords much quicker than that :-D, so I think it would block our users more than the bad guy. I would need to set the failed time frame to like a week in order for it to be useful.

                            Is this attack over SSH or IMAP or web?

                            Appears to be IMAP (which will be blocked publicly shortly). We do not have SSH open publicly.

                            1 Reply Last reply Reply Quote 1
                            • scottalanmillerS
                              scottalanmiller @StorageNinja
                              last edited by

                              @storageninja said in Malicious Logins To Zimbra Mail Server:

                              1. Disable unneeded and insecure protocols. IMAP and POP3 shouldn't be externally facing it's 2017...

                              Right, should be IMAP/S. But the issue remains.

                              1 Reply Last reply Reply Quote 0
                              • dafyreD
                                dafyre
                                last edited by dafyre

                                I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

                                Edit: Easy way to test this is to block IMAP & POP at the firewall for a few hours and see who screams, lol.

                                scottalanmillerS 1 Reply Last reply Reply Quote 1
                                • scottalanmillerS
                                  scottalanmiller @dafyre
                                  last edited by

                                  @dafyre said in Malicious Logins To Zimbra Mail Server:

                                  I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

                                  Does that solve anything? Same issues.

                                  anthonyhA dafyreD 2 Replies Last reply Reply Quote 1
                                  • anthonyhA
                                    anthonyh @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                    @dafyre said in Malicious Logins To Zimbra Mail Server:

                                    I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

                                    Does that solve anything? Same issues.

                                    One less attack vector I suppose. They could still hammer the web interface.

                                    scottalanmillerS black3dynamiteB 2 Replies Last reply Reply Quote 1
                                    • dafyreD
                                      dafyre @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                      @dafyre said in Malicious Logins To Zimbra Mail Server:

                                      I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

                                      Does that solve anything? Same issues.

                                      Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).

                                      anthonyhA scottalanmillerS 2 Replies Last reply Reply Quote 0
                                      • anthonyhA
                                        anthonyh @dafyre
                                        last edited by

                                        @dafyre said in Malicious Logins To Zimbra Mail Server:

                                        @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                        @dafyre said in Malicious Logins To Zimbra Mail Server:

                                        I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

                                        Does that solve anything? Same issues.

                                        ...(how long does it take them to switch from IMAP/POP to ActiveSync?).

                                        I will be able to tell you soon. 😄

                                        1 Reply Last reply Reply Quote 2
                                        • scottalanmillerS
                                          scottalanmiller @anthonyh
                                          last edited by

                                          @anthonyh said in Malicious Logins To Zimbra Mail Server:

                                          @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                          @dafyre said in Malicious Logins To Zimbra Mail Server:

                                          I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

                                          Does that solve anything? Same issues.

                                          One less attack vector I suppose. They could still hammer the web interface.

                                          Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.

                                          dafyreD 1 Reply Last reply Reply Quote 2
                                          • scottalanmillerS
                                            scottalanmiller @dafyre
                                            last edited by

                                            @dafyre said in Malicious Logins To Zimbra Mail Server:

                                            @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                            @dafyre said in Malicious Logins To Zimbra Mail Server:

                                            I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

                                            Does that solve anything? Same issues.

                                            Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).

                                            What's insecure about them? IMAP/S is just as secure as ActiveSync or HTTPS. Identical, in fact. I'm not sure what about them makes people feel that they are insecure... the fragility of all four is the username / password. None of them vary in security.

                                            dafyreD 1 Reply Last reply Reply Quote 2
                                            • 1
                                            • 2
                                            • 3
                                            • 1 / 3
                                            • First post
                                              Last post