Hey All,

We have a malicious entity trying to authenticate to our Zimbra server. I do not believe anything is compromised (yet) as all of the accounts they are attempting are either accounts of people who are publicly facing (would be listed on our website and/or regularly interface with people outside our organization) or generic guesses like "support", "webmaster", "admin", etc.

In watching, I'm noticing that the originating IP is always different, and it's not narrowed down to a specific country. A good portion of the IPs originate from China, but there's also a mix of South America, Africa, the Middle East, etc.

The login attempts are also pretty methodical. They try a given account three times in a row with 30 seconds to 1 minute in-between attempts, and like I said above each attempt is from a completely different IP. In a 24 hour period the same IP is used three times at the most. They eventually circle through the list of accounts they're attempting and try again later.

My first thought was to block netblocks of the countries that these attempts are coming from, but as I built the list it became like 3 thousand netblocks...I'm not sure how my firewall would handle that.

My second thought was to set up fail2ban on our Zimbra instance. However, given how slow the attempts are and how they do not originate from the same IP very often (if ever), I suspect this will end up hurting our users and do no good at actually blocking the bad guys.

My third thought was to put some sort of captcha in front of the login page. If I set this up, I would exclude our internal network(s) from it of course. This would be annoying for folks when they are logging into email from outside our network, but I think would be better than fail2ban given the situation.

Any thoughts/ideas?

EDIT: Here is a sample of the login failures from /opt/zimbra/log/audit.log: https://pastebin.com/NDU7UM0R

@aaronstuder said in Switch Recommendation:

@anthonyh said in Switch Recommendation:

@dashrender said in Switch Recommendation:

I'm also curious, why not a Unifi AP?

Two reasons.

1. I didn't want to have to keep track of an instance of the Unifi management software for one (maybe two in the future) APs or be dependent on any sort of cloud management.

2. I wanted an outdoor rated AP as my thinking is it might possibly last a little longer being subject to Central California summers up in my attic.

So your not going to use UNMS?

Hadn't even heard of it until this post. How does it work?

@dashrender said in Switch Recommendation:

@anthonyh said in Switch Recommendation:

@dashrender said in Switch Recommendation:

@anthonyh said in Switch Recommendation:

e nice to have a managed L2 switch so I can trunk it with the ERPoE-5 and go to VLAN town.

VLAN at home? For a guest network?

Possibly, but at the moment I'm thinking of something like the following:

VLAN A - Trusted LAN
VLAN B - Trusted WLAN
VLAN C - Untrusted WLAN (for IoT devices like my Samsung refrigerator and/or my Honeywell HVAC thermostat)

why split A and B?

No particular reason. Mostly because I'm a network nerd/geek (whichever is the better of the two) and just like to mess with stuff.

And in the future if I dive down the road of IP based security stuff..

VLAN D - Security LAN/WLAN

I could do the WLAN VLANs without replacing the switch. I'd just connect the WAP directly to the ERPoE-5 and trunk 'em.

I was just thinking if I can find a switch that's within my budget that, eh, why not?

A few small switches each into their own port on the 5 port router might be cheaper than a single large one, but won't fit your rack mount requirement...

Well, I could always buy a shelf if the cost savings is significant. So this is a possibility.

@dashrender said in Switch Recommendation:

I'm also curious, why not a Unifi AP?

Two reasons.

1. I didn't want to have to keep track of an instance of the Unifi management software for one (maybe two in the future) APs or be dependent on any sort of cloud management.

2. I wanted an outdoor rated AP as my thinking is it might possibly last a little longer being subject to Central California summers up in my attic.

@dashrender said in Switch Recommendation:

@anthonyh said in Switch Recommendation:

e nice to have a managed L2 switch so I can trunk it with the ERPoE-5 and go to VLAN town.

VLAN at home? For a guest network?

Possibly, but at the moment I'm thinking of something like the following:

VLAN A - Trusted LAN
VLAN B - Trusted WLAN
VLAN C - Untrusted WLAN (for IoT devices like my Samsung refrigerator and/or my Honeywell HVAC thermostat)

And in the future if I dive down the road of IP based security stuff..

VLAN D - Security LAN/WLAN

I could do the WLAN VLANs without replacing the switch. I'd just connect the WAP directly to the ERPoE-5 and trunk 'em.

I was just thinking if I can find a switch that's within my budget that, eh, why not?

I'm in the process of re-vamping my home network.

I'm currently awaiting arrival of a Ubiquiti EdgeRouter PoE and an EnGenius ENS620EXT WAP (will mount it in my attic) and am pretty excited.

I was planning on re-using the existing Linksys SR2924C unmanaged gigabit switch I have, but I'm realizing that it would be nice to have a managed L2 switch so I can trunk it with the ERPoE-5 and go to VLAN town.

Any recommendations on a cheap managed L2 gigabit switch? My only requirements are that 1) it be rack mountable and 2) fan-less (or at least near silent operation) as my "network closet" is an AV cabinet in the living room (think built-in cabinet that used to hide a CRT television).

The existing switch is a 24-porter, but I could easily get away with fewer ports.

I saw the EdgeRouter PoE mentioned here and just thought I'd chime in with nothing useful...

I just ordered one of these for my house. Found one pre-owned on eBay for $95. The seller appeared reputable and the sale included a 30 day return policy. To be safe though, I am planning on re-flashing the firmware so there is less chance of any funny business going on. Figured it was worth the gamble at any rate.

The only thing that turns me off regarding the Unifi Security Gateway is the way you have to manage it. Correct me if I'm wrong, but I believe you either have to run the Unifi management console somewhere or use their cloud management platform. Neither of those options are appealing to me which is why I opted for the ERPoE-5.

@tim_g In all honesty I just need to track where I've left off. Sometimes I honestly can't remember and I'll get on a machine and feel like I've put on too much weight. I don't know if I am truly over weight from my last visit, or if I'm being lazy.

If I know where I left off, I'll know that I'm at minimum not regressing...if that makes sense. So all I really need I guess is something to track the exercise, weight (or whatever important metric the exercise entails), and date. Perhaps a Google Sheet is all I really need...but not sure how easy manipulating that on my phone would be.

@danp Hm. I didn't even think to check out MyFitnessPal. I'll see if it does what I'm looking for.

Anyone have a recommendation on an app to track your circuits? The gym I go to provides these cards where you detail your circuit (various activities you perform, how much weight (if applicable), how many reps, date of visit, etc.). I'm looking for an app that'll do this so I don't have to cart around a sheet of paper and a writing utensil when working through my circuit(s).

This isn't the exact worksheet, but similar to what my gym provides:

@penguinwrangler There is no set amount per say (I know there is some reasonable cap of some sort but I'm not privy to that info...I just ask and my boss usually approves). However, if the conference registration is cheap (sub $500) and/or free chances of approval are good.

@brianlittlejohn said in Spiceworld Trip Cancelled Due to CA Legislation - Alternate Conference Suggestions?:

Southern California Linux Expo...

http://www.socallinuxexpo.org/scale/16x/cfp

Don't know if it is any good... but maybe worth looking into.

Oooo this looks interesting. We are a very Linux (CentOS as much as possible) heavy shop.

@penguinwrangler Well it has to be pertinent to my job...and I do work in IT...sooo I'm going to say yes?

@scottalanmiller Aw bummer. Will it be back in a non-banned state in the future?

@dustinb3403 Even if that was a legit tech conference, the folks who hold the purse strings are very fearful of audits and given the name the request would be automatically denied. lol

So, I work for a government agency in California. Legislation was passed where the state will not reimburse underlying agencies for travel expenses to states that have law(s) on the book that "have the effect of voiding or repealing existing state or local protections against discrimination..."

The state has labeled Texas as one of these, so I am not allowed to travel there unless I fund it myself.

So, my planned (and booked) Spiceworld trip is being cancelled as I type. Not sure how much money we'll be able to recover, but it is what it is.

My boss told me to find another conference to attend before the end of the fiscal year (so July 1 2018), so I'm coming to you guys for suggestions.

Any conferences you'd recommend considering that are not in Alabama, Kansas, Kentucky, Mississippi, North Carolina, South Dakota, Tennessee, or Texas?

@eddiejennings Got it. Makes perfect sense. I will go back to lurking status for now.

@jaredbusch Hmm. If that's the case, what's the issue here? lol

@momurda Huh.

lvextend -l +100%FREE -r /dev/mapper/centos-root

Seems to have done it.

I swear I ran the command multiple times. I suspect I was missing the "+" on "+100%FREE". I wonder what the difference is?

@momurda

lsblk output:

fdisk -l output:

vgdisplay output: