Hey All,
We have a malicious entity trying to authenticate to our Zimbra server. I do not believe anything is compromised (yet) as all of the accounts they are attempting are either accounts of people who are publicly facing (would be listed on our website and/or regularly interface with people outside our organization) or generic guesses like "support", "webmaster", "admin", etc.
In watching, I'm noticing that the originating IP is always different, and it's not narrowed down to a specific country. A good portion of the IPs originate from China, but there's also a mix of South America, Africa, the Middle East, etc.
The login attempts are also pretty methodical. They try a given account three times in a row with 30 seconds to 1 minute in-between attempts, and like I said above each attempt is from a completely different IP. In a 24 hour period the same IP is used three times at the most. They eventually circle through the list of accounts they're attempting and try again later.
My first thought was to block netblocks of the countries that these attempts are coming from, but as I built the list it became like 3 thousand netblocks...I'm not sure how my firewall would handle that.
My second thought was to set up fail2ban on our Zimbra instance. However, given how slow the attempts are and how they do not originate from the same IP very often (if ever), I suspect this will end up hurting our users and do no good at actually blocking the bad guys.
My third thought was to put some sort of captcha in front of the login page. If I set this up, I would exclude our internal network(s) from it of course. This would be annoying for folks when they are logging into email from outside our network, but I think would be better than fail2ban given the situation.
Any thoughts/ideas?
EDIT: Here is a sample of the login failures from /opt/zimbra/log/audit.log: https://pastebin.com/NDU7UM0R