Malicious Logins To Zimbra Mail Server

anthonyh

Hey All,

We have a malicious entity trying to authenticate to our Zimbra server. I do not believe anything is compromised (yet) as all of the accounts they are attempting are either accounts of people who are publicly facing (would be listed on our website and/or regularly interface with people outside our organization) or generic guesses like "support", "webmaster", "admin", etc.

In watching, I'm noticing that the originating IP is always different, and it's not narrowed down to a specific country. A good portion of the IPs originate from China, but there's also a mix of South America, Africa, the Middle East, etc.

The login attempts are also pretty methodical. They try a given account three times in a row with 30 seconds to 1 minute in-between attempts, and like I said above each attempt is from a completely different IP. In a 24 hour period the same IP is used three times at the most. They eventually circle through the list of accounts they're attempting and try again later.

My first thought was to block netblocks of the countries that these attempts are coming from, but as I built the list it became like 3 thousand netblocks...I'm not sure how my firewall would handle that.

My second thought was to set up fail2ban on our Zimbra instance. However, given how slow the attempts are and how they do not originate from the same IP very often (if ever), I suspect this will end up hurting our users and do no good at actually blocking the bad guys.

My third thought was to put some sort of captcha in front of the login page. If I set this up, I would exclude our internal network(s) from it of course. This would be annoying for folks when they are logging into email from outside our network, but I think would be better than fail2ban given the situation.

Any thoughts/ideas?

EDIT: Here is a sample of the login failures from /opt/zimbra/log/audit.log: https://pastebin.com/NDU7UM0R

DustinB3403

2FA is likely the best approach, and the most simple to manage.

Can you get it turned around quick enough to be worth-while?

coliver

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

anthonyh

@dustinb3403 Definitely not full 2FA (we're talking ~400 users), but possibly something like a captcha (not foolproof I know).

I just want to implement something to further hinder these folks for now.

anthonyh

@coliver said in Malicious Logins To Zimbra Mail Server:

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

Yes, but the way these attempts are formed it would take days for an IP to even be considered to be blocked. Our users fat-finger their passwords much quicker than that :-D, so I think it would block our users more than the bad guy. I would need to set the failed time frame to like a week in order for it to be useful.

anthonyh

I'm working on posting a sample from the audit log so you can see what I'm talking about.

Dashrender

I agree that Fail2Ban isn't a good solution for the reasons mentioned.

So that really means you have no other option reasonable option other than trying country blocking as you suggested. Of course that's only so useful, and can come back to bite you since geography based IP is already breaking (just ask Scott).

All of these other options will just show you a failure in another realm. And if the bad guys really want in, they'll just use those call center in india/china to answer captuas like they've been doing for a few years already, so that really won't slow them down.

I think scanning logs for failed is good, now scanning logs for success from outlier IPs might also be good.

anthonyh

As I'm working through redacting stuff from this log sample, I'm noticing that most of the auths are coming via IMAP. I'm wondering if I can just disable IMAP externally (block the port at my firewall. Anyone who uses mail outside of our network connects via Exchange (we have Zimbra licensing) or the web interface. At least that's how they should be connecting at any rate. I'll have to talk to my boss. Hmm...

StorageNinja

You have a front-facing service that has a login prompt. Random automated login attempts are just part of life. What can you do?

1. Setup Fail2Ban. (Smart botnets split the load across lots of IP's).

2. ~Geo Blocking~ useless, as bots are all over the place (many in the US)

3. Double Check your password policy (make sure they can't use easily guessable passwords).

4. If you actually have users with highly valuable data in their email, force MDM agents on their mobile devices, if they want to use mobile access Exchange, can be configured to do this. Alternative use a whitelist for remote/mobile devices (Exchange 2010 on has a ActiveSync device quarantine options where devices even if they can authenticate don't get email till you approve them).

5. I've seen it done with AirWatch so only Boxer as a mail client will work as it has a device-specific VPN.

6. Disable unneeded and insecure protocols. IMAP and POP3 shouldn't be externally facing it's 2017...

Lastly, who still uses Zimbra? We used to own it, but now just use O365 (and have Microsoft's billion dollars of security spending and IDS in front of it).

anthonyh

If you're curious, here is a sample of the login failures via /opt/zimbra/log/audit.log

https://pastebin.com/NDU7UM0R

I also added this to the original post.

anthonyh

@storageninja said in Malicious Logins To Zimbra Mail Server:

Lastly, who still uses Zimbra? We used to own it, but now just use O365 (and have Microsoft's billion dollars of security spending and IDS in front of it).

Obviously you have no need to be in this thread, then. I'm looking for suggestions on mitigating my existing services from the current threat. Not, "who uses this crap these days?"

stacksofplates

As @StorageNinja said, there is really no way to stop this. If they're smart enough to throttle attempts, they're smart enough to set up bots to do this. Blocking IPs won't do anything. 2FA is the best way to handle it. Certs on the devices, OTPs, etc.

scottalanmiller

@dustinb3403 said in Malicious Logins To Zimbra Mail Server:

2FA is likely the best approach, and the most simple to manage.

No, not having public access at all is the "best" approach from a security standpoint.

scottalanmiller

@coliver said in Malicious Logins To Zimbra Mail Server:

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

I agree, we always use that.

scottalanmiller

@anthonyh said in Malicious Logins To Zimbra Mail Server:

@coliver said in Malicious Logins To Zimbra Mail Server:

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

Yes, but the way these attempts are formed it would take days for an IP to even be considered to be blocked. Our users fat-finger their passwords much quicker than that :-D, so I think it would block our users more than the bad guy. I would need to set the failed time frame to like a week in order for it to be useful.

Is this attack over SSH or IMAP or web?

scottalanmiller

@storageninja said in Malicious Logins To Zimbra Mail Server:

2. ~Geo Blocking~ useless, as bots are all over the place (many in the US)

And it isn't accurate. I get detected as the wrong country almost 100% of the time. Something about people on Frontier's FiOS show up as Toronto.

anthonyh

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@coliver said in Malicious Logins To Zimbra Mail Server:

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

I agree, we always use that.

Well, I wasn't saying not to use it. I was saying that I don't think it would be effective in this scenario.

scottalanmiller

@storageninja said in Malicious Logins To Zimbra Mail Server:

Lastly, who still uses Zimbra? We used to own it, but now just use O365 (and have Microsoft's billion dollars of security spending and IDS in front of it).

Actually find it better than O365. We use it and the more we use it, the more we stop using O365. Faster, easier, more accurate.

scottalanmiller

@anthonyh said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@coliver said in Malicious Logins To Zimbra Mail Server:

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

I agree, we always use that.

Well, I wasn't saying not to use it. I was saying that I don't think it would be effective in this scenario.

Still, start with it. At least let it do its jobs in that regard.

anthonyh

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@anthonyh said in Malicious Logins To Zimbra Mail Server:

@coliver said in Malicious Logins To Zimbra Mail Server:

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

Yes, but the way these attempts are formed it would take days for an IP to even be considered to be blocked. Our users fat-finger their passwords much quicker than that :-D, so I think it would block our users more than the bad guy. I would need to set the failed time frame to like a week in order for it to be useful.

Is this attack over SSH or IMAP or web?

Appears to be IMAP (which will be blocked publicly shortly). We do not have SSH open publicly.