Zmauditswatch: Difference between revisions
No edit summary |
No edit summary |
||
Line 17: | Line 17: | ||
=== Default values === | === Default values === | ||
The default values of '''zmauditswatch''' are the next | The default values of '''zmauditswatch''' are the next: | ||
<pre>zimbra_swatch_ipacct_threshold=10 | <pre>zimbra_swatch_ipacct_threshold=10 | ||
zimbra_swatch_acct_threshold=10 | zimbra_swatch_acct_threshold=10 | ||
Line 26: | Line 26: | ||
'''zmauditswatch''' should be run by the user "zimbra". For use '''zmauditswatch''' we need to configure it first. | '''zmauditswatch''' should be run by the user "zimbra". For use '''zmauditswatch''' we need to configure it first. | ||
The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified. | |||
<pre>zmlocalconfig -e zimbra_swatch_notice_user email@domain.com</pre> | |||
You can change any of this numbers for accommodate to your environment: | |||
<pre> | <pre> | ||
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10 | zmlocalconfig -e zimbra_swatch_ipacct_threshold=10 | ||
Line 33: | Line 35: | ||
zmlocalconfig -e zimbra_swatch_ip_threshold=20 | zmlocalconfig -e zimbra_swatch_ip_threshold=20 | ||
zmlocalconfig -e zimbra_swatch_total_threshold=60 | zmlocalconfig -e zimbra_swatch_total_threshold=60 | ||
</pre> | </pre> | ||
Line 107: | Line 105: | ||
'''NOTE''' : Please configure with your own parameters the above script, it's an example. | '''NOTE''' : Please configure with your own parameters the above script, it's an example. | ||
{{Article_Footer|ZCS 8.0.x & 8.5.x|10/1/2014}} | {{Article_Footer|ZCS 8.0.x & 8.5.x|10/1/2014}} |
Revision as of 14:11, 3 October 2014
Article Information |
---|
This article applies to the following ZCS versions. |
Zmauditswatch
Description
Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.
Script Options Explanation
The script ships with 4 authentication failure checks.
- (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
- (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
- (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
- (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
- (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.
Default values
The default values of zmauditswatch are the next:
zimbra_swatch_ipacct_threshold=10 zimbra_swatch_acct_threshold=10 zimbra_swatch_ip_threshold=20 zimbra_swatch_total_threshold=100
Configuration
zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first. The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified.
zmlocalconfig -e zimbra_swatch_notice_user email@domain.com
You can change any of this numbers for accommodate to your environment:
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10 zmlocalconfig -e zimbra_swatch_acct_threshold=15 zmlocalconfig -e zimbra_swatch_ip_threshold=20 zmlocalconfig -e zimbra_swatch_total_threshold=60
Activate
zmauditswatch is very easy to activate once we configured everything, we just need to start the script:
zmauditswatchctl start
We can stop it
zmauditswatchctl stop
Show the status
zmauditswatchctl status
Activate it in Boot Sequence
For default zmauditswatch doesn't load at start-up, if we want to keep zmauditswatch activated also if the machine's reboot. We need to download this file Media:Zmauditswatch.tar, copy into our init.d directory, and add it into the boot sequence:
For RHEL/CentOS 5/6 or SLES 11:
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar tar xvf Zmauditswatch.tar cp zmauditswatch /etc/init.d/zmauditswatch chmod 755 /etc/init.d/zmauditswatch chkconfig zmauditswatch on
For Ubuntu:
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar tar xvf Zmauditswatch.tar cp zmauditswatch /etc/init.d/zmauditswatch chmod 755 /etc/init.d/zmauditswatch sudo update-rc.d zmauditswatch defaults sudo update-rc.d zmauditswatch enable
Examples
Web Client
We will try to attack our Zimbra Lab with one username and bad password, 10 times:
The result will be that the user can't do login anymore for 15 minutes:
The Zmauditswatchctl will send a notification to the email address that we defined before:
If we open the mail, we'll obtain more information
SMTP
Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.
The Zmauditswatch will send a notification to the email address that we defined before:
If we open the mail, we'll obtain more information
Log File
We can check into the log /opt/zimbra/log/zmauditswatch.out
zimbra@lab:~/bin$ tail -20 /opt/zimbra/log/zmauditswatch.out *** auditswatch version 3.2.3 (pid:24029) started at Wed Oct 1 11:51:31 CEST 2014 IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com Account failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for admin@labzimbra.zimbra.com
NOTE : Please configure with your own parameters the above script, it's an example.