Configure zmauditswatch to get authentication failure notifications

Revision as of 23:44, 13 December 2020 by Heera Singh Koranga (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Configure zmauditswatch to get authentication failure notifications


   KB 24186        Last updated on 2020-12-13  




0.00
(0 votes)

This wiki article is valid for ZCS 8.7.x, 8.8.x, and 9.0 versions with RHEL/CentOS 7/8 and Ubuntu 16/18.


Overview

Starting with ZCS v8.7.x, the zmauditswatch tool was broken.
Here we will configure the zmauditswatch tool to detect brute force attacks for any hosted account using the authentication failure log entries.


Localconfig Keys Description

These are the authentication failure checks controlled by the localconfig keys.

zimbra_swatch_notice_user: The email address that we want to be worn when all the conditions happens.
zimbra_swatch_ipacct_threshold: IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
zimbra_swatch_acct_threshold: Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
zimbra_swatch_ip_threshold: IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
zimbra_swatch_total_threshold: Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.

Default Values

These are the default values shipped within the script "/opt/zimbra/bin/zmauditswatchctl".

zimbra_swatch_ipacct_threshold=10
zimbra_swatch_acct_threshold=10
zimbra_swatch_ip_threshold=20
zimbra_swatch_total_threshold=100
zimbra_swatch_threshold_seconds=60 

Configuration

1) Download and extract the zmauditswatch.patch.tgz file under the /tmp/ directory, and then copy the extracted files at the required path.

[Run as 'root'] 
wget https://wiki.zimbra.com/images/9/9a/Zmauditswatch.patch.tar.gz -O /tmp/zmauditswatch.patch.tar.gz
tar xvf /tmp/zmauditswatch.patch.tar.gz -C /tmp/
cd /tmp/zmauditswatch.patch/ 
cp zmauditswatch.service /etc/systemd/system/zmauditswatch.service 
cp auditswatch /opt/zimbra/libexec/auditswatch
chown root:root /etc/systemd/system/zmauditswatch.service /opt/zimbra/libexec/auditswatch 
chmod 644 /etc/systemd/system/zmauditswatch.service  
chmod 755 /opt/zimbra/libexec/auditswatch


2) Set email-id to receiving notification.

su - zimbra 
zmlocalconfig -e zimbra_swatch_notice_user="email@domain.com"


3) Configure threshold values. You can configure these values according to your requirement.

su - zimbra 
zmlocalconfig -e zimbra_swatch_ipacct_threshold=5
zmlocalconfig -e zimbra_swatch_acct_threshold=5 
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=3600


4) Initially the following files are not present. Using "touch" command we have to create empty files.

su - zimbra 
touch /opt/zimbra/conf/auditswatchrc 
touch /opt/zimbra/log/zmauditswatch.out 


5) Test the zmauditswatch service and configure it to start at boot time.

[Run as 'root'] 
systemctl enable zmauditswatch
systemctl start zmauditswatch
systemctl status zmauditswatch 
systemctl restart zmauditswatch
systemctl status zmauditswatch  


6) Checking service status will show the result similar to the following.

[root@centos8 ~]# systemctl status zmauditswatch
 zmauditswatch.service - Zimbra Collaboration Suite Zmauditswatch
   Loaded: loaded (/etc/systemd/system/zmauditswatch.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2020-12-13 17:54:10 EST; 3s ago
  Process: 123018 ExecStop=/opt/zimbra/bin/zmauditswatchctl stop (code=exited, status=0/SUCCESS)
  Process: 123075 ExecStart=/opt/zimbra/bin/zmauditswatchctl start (code=exited, status=0/SUCCESS)
 Main PID: 123247 (auditswatch)
    Tasks: 2 (limit: 49500)
   Memory: 29.2M
   CGroup: /system.slice/zmauditswatch.service
           ├─123247 /usr/bin/perl /opt/zimbra/libexec/auditswatch --config-file=/opt/zimbra/conf/auditswatchrc --use-cpan-file-tail --script-dir=/opt/zimbra/data/tmp --tail-file /opt/zimbra/log/aud>
           └─123263 /usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.123247

Dec 13 17:54:09 centos8.zimbrasupportlab.com systemd[1]: zmauditswatch.service: Succeeded.
Dec 13 17:54:09 centos8.zimbrasupportlab.com systemd[1]: Stopped Zimbra Collaboration Suite Zmauditswatch.
Dec 13 17:54:09 centos8.zimbrasupportlab.com systemd[1]: Starting Zimbra Collaboration Suite Zmauditswatch...
Dec 13 17:54:10 centos8.zimbrasupportlab.com systemd[1]: Started Zimbra Collaboration Suite Zmauditswatch.


Submitted by: Heera Singh Koranga
Verified Against: ZCS 8.7,8.8,9.0 Date Created: 2020-12-13
Article ID: https://wiki.zimbra.com/index.php?title=Configure_zmauditswatch_to_get_authentication_failure_notifications Date Modified: 2020-12-13



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search