Malicious Logins To Zimbra Mail Server

scottalanmiller

@dustinb3403 said in Malicious Logins To Zimbra Mail Server:

2FA is likely the best approach, and the most simple to manage.

No, not having public access at all is the "best" approach from a security standpoint.

scottalanmiller

@coliver said in Malicious Logins To Zimbra Mail Server:

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

I agree, we always use that.

scottalanmiller

@anthonyh said in Malicious Logins To Zimbra Mail Server:

@coliver said in Malicious Logins To Zimbra Mail Server:

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

Yes, but the way these attempts are formed it would take days for an IP to even be considered to be blocked. Our users fat-finger their passwords much quicker than that :-D, so I think it would block our users more than the bad guy. I would need to set the failed time frame to like a week in order for it to be useful.

Is this attack over SSH or IMAP or web?

scottalanmiller

@storageninja said in Malicious Logins To Zimbra Mail Server:

2. ~Geo Blocking~ useless, as bots are all over the place (many in the US)

And it isn't accurate. I get detected as the wrong country almost 100% of the time. Something about people on Frontier's FiOS show up as Toronto.

anthonyh

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@coliver said in Malicious Logins To Zimbra Mail Server:

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

I agree, we always use that.

Well, I wasn't saying not to use it. I was saying that I don't think it would be effective in this scenario.

scottalanmiller

@storageninja said in Malicious Logins To Zimbra Mail Server:

Lastly, who still uses Zimbra? We used to own it, but now just use O365 (and have Microsoft's billion dollars of security spending and IDS in front of it).

Actually find it better than O365. We use it and the more we use it, the more we stop using O365. Faster, easier, more accurate.

scottalanmiller

@anthonyh said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@coliver said in Malicious Logins To Zimbra Mail Server:

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

I agree, we always use that.

Well, I wasn't saying not to use it. I was saying that I don't think it would be effective in this scenario.

Still, start with it. At least let it do its jobs in that regard.

anthonyh

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@anthonyh said in Malicious Logins To Zimbra Mail Server:

@coliver said in Malicious Logins To Zimbra Mail Server:

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

Yes, but the way these attempts are formed it would take days for an IP to even be considered to be blocked. Our users fat-finger their passwords much quicker than that :-D, so I think it would block our users more than the bad guy. I would need to set the failed time frame to like a week in order for it to be useful.

Is this attack over SSH or IMAP or web?

Appears to be IMAP (which will be blocked publicly shortly). We do not have SSH open publicly.

scottalanmiller

@storageninja said in Malicious Logins To Zimbra Mail Server:

6. Disable unneeded and insecure protocols. IMAP and POP3 shouldn't be externally facing it's 2017...

Right, should be IMAP/S. But the issue remains.

dafyre

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Edit: Easy way to test this is to block IMAP & POP at the firewall for a few hours and see who screams, lol.

scottalanmiller

@dafyre said in Malicious Logins To Zimbra Mail Server:

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Does that solve anything? Same issues.

anthonyh

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Does that solve anything? Same issues.

One less attack vector I suppose. They could still hammer the web interface.

dafyre

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Does that solve anything? Same issues.

Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).

anthonyh

@dafyre said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Does that solve anything? Same issues.

...(how long does it take them to switch from IMAP/POP to ActiveSync?).

I will be able to tell you soon.

scottalanmiller

@anthonyh said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Does that solve anything? Same issues.

One less attack vector I suppose. They could still hammer the web interface.

Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.

scottalanmiller

@dafyre said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Does that solve anything? Same issues.

Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).

What's insecure about them? IMAP/S is just as secure as ActiveSync or HTTPS. Identical, in fact. I'm not sure what about them makes people feel that they are insecure... the fragility of all four is the username / password. None of them vary in security.

dafyre

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Does that solve anything? Same issues.

Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).

What's insecure about them? IMAP/S is just as secure as ActiveSync or HTTPS. Identical, in fact. I'm not sure what about them makes people feel that they are insecure... the fragility of all four is the username / password. None of them vary in security.

Didn't say anything about IMAP or POP3 over SSL / TLS. I don't know about you, but I like my login information encrypted when I'm broadcasting it for the world to see.

scottalanmiller

@dafyre said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Does that solve anything? Same issues.

Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).

What's insecure about them? IMAP/S is just as secure as ActiveSync or HTTPS. Identical, in fact. I'm not sure what about them makes people feel that they are insecure... the fragility of all four is the username / password. None of them vary in security.

Didn't say anything about IMAP or POP3 over SSL / TLS. I don't know about you, but I like my login information encrypted when I'm broadcasting it for the world to see.

Yes, but the assumption is that it is always over SSL. Web Interface is all that was mentioned, do we not assume HTTPS? If so, why in one case and not the other? And the broadcasting of creds isn't a factor here.

dafyre

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Does that solve anything? Same issues.

Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).

What's insecure about them? IMAP/S is just as secure as ActiveSync or HTTPS. Identical, in fact. I'm not sure what about them makes people feel that they are insecure... the fragility of all four is the username / password. None of them vary in security.

Didn't say anything about IMAP or POP3 over SSL / TLS. I don't know about you, but I like my login information encrypted when I'm broadcasting it for the world to see.

Yes, but the assumption is that it is always over SSL. Web Interface is all that was mentioned, do we not assume HTTPS? If so, why in one case and not the other? And the broadcasting of creds isn't a factor here.

If it's not specifically stated, I try to assume nothing. Admittedly, I did assume HTTPS for the web site. If I see POP / IMAP, I immediately think clear text on port 110 or 143.

dafyre

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@anthonyh said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Does that solve anything? Same issues.

One less attack vector I suppose. They could still hammer the web interface.

Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.

I fully agree with this. Shut down and blocked at the site's Firewall.