Difference between revisions of "Zmauditswatch"

Line 18: Line 18:
  
 
=== Default values ===
 
=== Default values ===
The default values of zmauditswatch are the next, and they will come harcoded inside the file '''auditswatchrc.in''' :  
+
The default values of '''zmauditswatch''' are the next, and they will come harcoded inside the file '''auditswatchrc.in''' :  
 
<pre>zimbra_swatch_ipacct_threshold=10
 
<pre>zimbra_swatch_ipacct_threshold=10
 
zimbra_swatch_acct_threshold=10
 
zimbra_swatch_acct_threshold=10
Line 26: Line 26:
 
== Configuration ==
 
== Configuration ==
  
zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first.
+
'''zmauditswatch''' should be run by the user "zimbra". For use '''zmauditswatch''' we need to configure it first.
  
Here is the parameters to configure zmauditswatch:
+
Here is the parameters to configure '''zmauditswatch''':
 
<pre>
 
<pre>
 
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
 
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
Line 43: Line 43:
 
== Activate ==
 
== Activate ==
  
zmauditswatch is very easy to activate once we configured everything, we just need to start the script:
+
'''zmauditswatch''' is very easy to activate once we configured everything, we just need to start the script:
 
<pre>
 
<pre>
 
zmauditswatchctl start
 
zmauditswatchctl start
Line 50: Line 50:
 
We can stop it
 
We can stop it
 
<pre>zmauditswatchctl stop</pre>
 
<pre>zmauditswatchctl stop</pre>
 
 
Show the status
 
Show the status
 
<pre>zmauditswatchctl status</pre>
 
<pre>zmauditswatchctl status</pre>
 +
 +
=== Activate it in Boot Sequence ===
 +
For default '''zmauditswatch''' doesn't load at start-up, if we want to keep '''zmauditswatch''' activated also if the machine's reboot. We need to download this file [[Media:Zmauditswatch.tar‎]], copy into our init.d directory, and add it into the boot sequence:
 +
 +
==== For RHEL/CentOS 5/6 or SLES 11: ====
 +
<pre>
 +
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar
 +
tar xvf Zmauditswatch.tar
 +
cp zmauditswatch /etc/init.d/zmauditswatch
 +
chmod 755 /etc/init.d/zmauditswatch
 +
chkconfig zmauditswatch on</pre>
 +
 +
==== For Ubuntu: ====
 +
<pre>
 +
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar
 +
tar xvf Zmauditswatch.tar
 +
cp zmauditswatch /etc/init.d/zmauditswatch
 +
chmod 755 /etc/init.d/zmauditswatch
 +
sudo update-rc.d zmauditswatch defaults
 +
sudo update-rc.d zmauditswatch enable
 +
</pre>
  
 
== Examples ==
 
== Examples ==
Line 69: Line 89:
  
 
=== SMTP ===
 
=== SMTP ===
Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.
+
Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With '''zmauditswatch''' enabled, we will be capable of obtain a email notification if we have an attack under SMTP.
  
The Zmauditswatchctl will send a notification to the email address that we defined before:
+
The Zmauditswatch will send a notification to the email address that we defined before:
 
[[File:Zmauditswatch-004.png]]
 
[[File:Zmauditswatch-004.png]]
  

Revision as of 23:13, 1 October 2014

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.5 Article ZCS 8.5ZCS 8.0 Article ZCS 8.0


Zmauditswatch

Description

Zmauditswatch notifies a specific e-mail address of a potential brute force attack if certain conditions are met. This powerful service can provides us a notification against brute force attacks, protecting our Zimbra Collaboration Infrastructure.

Script Options Explanation

The script ships with 4 authentication failure checks.

  • (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
  • (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
  • (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
  • (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
  • (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.

Default values

The default values of zmauditswatch are the next, and they will come harcoded inside the file auditswatchrc.in :

zimbra_swatch_ipacct_threshold=10
zimbra_swatch_acct_threshold=10
zimbra_swatch_ip_threshold=20
zimbra_swatch_total_threshold=100

Configuration

zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first.

Here is the parameters to configure zmauditswatch:

zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_notice_user email@domain.com

You can change any of this numbers for accommodate to your Environment, read the next section for understand each command.


Activate

zmauditswatch is very easy to activate once we configured everything, we just need to start the script:

zmauditswatchctl start

We can stop it

zmauditswatchctl stop

Show the status

zmauditswatchctl status

Activate it in Boot Sequence

For default zmauditswatch doesn't load at start-up, if we want to keep zmauditswatch activated also if the machine's reboot. We need to download this file Media:Zmauditswatch.tar‎, copy into our init.d directory, and add it into the boot sequence:

For RHEL/CentOS 5/6 or SLES 11:

wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar 
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
chkconfig zmauditswatch on

For Ubuntu:

wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar 
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
sudo update-rc.d zmauditswatch defaults
sudo update-rc.d zmauditswatch enable

Examples

Web Client

We will try to attack our Zimbra Lab with one username and bad password, 10 times: Zmauditswatch-001.png

The result will be that the user can't do login anymore for 15 minutes: Zmauditswatch-006.png

The Zmauditswatchctl will send a notification to the email address that we defined before: Zmauditswatch-002.png

If we open the mail, we'll obtain more information Zmauditswatch-003.png

SMTP

Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.

The Zmauditswatch will send a notification to the email address that we defined before: Zmauditswatch-004.png

If we open the mail, we'll obtain more information Zmauditswatch-005.png

Log File

We can check into the log /opt/zimbra/log/zmauditswatch.out

zimbra@lab:~/bin$ tail -20 /opt/zimbra/log/zmauditswatch.out
*** auditswatch version 3.2.3 (pid:24029) started at Wed Oct  1 11:51:31 CEST 2014

IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
Account failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for admin@labzimbra.zimbra.com


NOTE : Please configure with your own parameters the above script, it's an example. Consult the specific Release Notes for the version you upgraded to.


Verified Against: ZCS 8.0.x & 8.5.x Date Created: 10/1/2014
Article ID: https://wiki.zimbra.com/index.php?title=Zmauditswatch Date Modified: 2014-10-01



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search