Configure zmauditswatch to get authentication failure notifications
Configure zmauditswatch to get authentication failure notifications
This wiki article is valid for ZCS 8.7.x, 8.8.x, and 9.0 versions with RHEL/CentOS 7/8 and Ubuntu 16/18.
Overview
Starting with ZCS v8.7.x, the zmauditswatch tool was broken.
Here we will configure the zmauditswatch tool to detect brute force attacks for any hosted account using the authentication failure log entries.
Localconfig Keys Description
These are the authentication failure checks controlled by the localconfig keys.
zimbra_swatch_notice_user: | The email address that we want to be worn when all the conditions happens. |
zimbra_swatch_ipacct_threshold: | IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window. |
zimbra_swatch_acct_threshold: | Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account. |
zimbra_swatch_ip_threshold: | IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts. |
zimbra_swatch_total_threshold: | Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox. |
Default Values
These are the default values shipped within the script "/opt/zimbra/bin/zmauditswatchctl".
zimbra_swatch_ipacct_threshold=10 zimbra_swatch_acct_threshold=10 zimbra_swatch_ip_threshold=20 zimbra_swatch_total_threshold=100 zimbra_swatch_threshold_seconds=60
Configuration
1) Download and extract the zmauditswatch.patch.tgz file under the "/tmp/" directory, and then copy the extracted files at the required path.
[Run as 'root'] wget https://wiki.zimbra.com/images/9/9a/Zmauditswatch.patch.tar.gz -O /tmp/zmauditswatch.patch.tar.gz tar xvf /tmp/zmauditswatch.patch.tar.gz -C /tmp/ cd /tmp/zmauditswatch.patch/ cp zmauditswatch.service /etc/systemd/system/zmauditswatch.service cp auditswatch /opt/zimbra/libexec/auditswatch chown root:root /etc/systemd/system/zmauditswatch.service /opt/zimbra/libexec/auditswatch chmod 644 /etc/systemd/system/zmauditswatch.service chmod 755 /opt/zimbra/libexec/auditswatch
2) Set email-id to receiving notification.
su - zimbra
zmlocalconfig -e zimbra_swatch_notice_user="email@domain.com"
3) Configure threshold values. You can configure these values according to your requirement.
su - zimbra zmlocalconfig -e zimbra_swatch_ipacct_threshold=5 zmlocalconfig -e zimbra_swatch_acct_threshold=5 zmlocalconfig -e zimbra_swatch_ip_threshold=20 zmlocalconfig -e zimbra_swatch_total_threshold=60 zmlocalconfig -e zimbra_swatch_threshold_seconds=3600
4) Initially the following files are not present. Using "touch" command we have to create empty files.
su - zimbra touch /opt/zimbra/conf/auditswatchrc touch /opt/zimbra/log/zmauditswatch.out
5) Test the zmauditswatch service and configure it to start at boot time.
[Run as 'root'] systemctl enable zmauditswatch systemctl start zmauditswatch systemctl status zmauditswatch systemctl restart zmauditswatch systemctl status zmauditswatch
6) Checking service status will show the result similar to the following.
[root@centos8 ~]# systemctl status zmauditswatch ● zmauditswatch.service - Zimbra Collaboration Suite Zmauditswatch Loaded: loaded (/etc/systemd/system/zmauditswatch.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-12-13 17:54:10 EST; 3s ago Process: 123018 ExecStop=/opt/zimbra/bin/zmauditswatchctl stop (code=exited, status=0/SUCCESS) Process: 123075 ExecStart=/opt/zimbra/bin/zmauditswatchctl start (code=exited, status=0/SUCCESS) Main PID: 123247 (auditswatch) Tasks: 2 (limit: 49500) Memory: 29.2M CGroup: /system.slice/zmauditswatch.service ├─123247 /usr/bin/perl /opt/zimbra/libexec/auditswatch --config-file=/opt/zimbra/conf/auditswatchrc --use-cpan-file-tail --script-dir=/opt/zimbra/data/tmp --tail-file /opt/zimbra/log/aud> └─123263 /usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.123247 Dec 13 17:54:09 centos8.zimbrasupportlab.com systemd[1]: zmauditswatch.service: Succeeded. Dec 13 17:54:09 centos8.zimbrasupportlab.com systemd[1]: Stopped Zimbra Collaboration Suite Zmauditswatch. Dec 13 17:54:09 centos8.zimbrasupportlab.com systemd[1]: Starting Zimbra Collaboration Suite Zmauditswatch... Dec 13 17:54:10 centos8.zimbrasupportlab.com systemd[1]: Started Zimbra Collaboration Suite Zmauditswatch.
Submitted by: Heera Singh Koranga |