Difference between revisions of "Zmauditswatch"
Line 51: | Line 51: | ||
=== Activate it in Boot Sequence === | === Activate it in Boot Sequence === | ||
− | For default '''zmauditswatch''' doesn't load at start-up, if we want to keep '''zmauditswatch''' activated also if the machine's reboot. We need to download this file [[Media:Zmauditswatch.tar]] | + | For default '''zmauditswatch''' doesn't load at start-up, if we want to keep '''zmauditswatch''' activated also if the machine's reboot. We need to download this file [[Media:Zmauditswatch.tar]] or create by ourselves: |
+ | <pre> | ||
+ | #!/bin/bash | ||
+ | # Init file for zmauditswatchctl | ||
+ | # | ||
+ | # chkconfig: 345 99 01 | ||
+ | # description: zmauditswatchctl service | ||
+ | # | ||
+ | ### BEGIN INIT INFO | ||
+ | # Provides: zmauditswatch | ||
+ | # Required-Start: $network $remote_fs $syslog $time nscd cron zimbra | ||
+ | # Required-Stop: $network $remote_fs $syslog $time zimbra | ||
+ | # Default-Start: 3 5 | ||
+ | # Default-Stop: 0 1 6 | ||
+ | # Description: zmauditswatchctl service | ||
+ | ### END INIT INFO | ||
+ | |||
+ | |||
+ | command() | ||
+ | { | ||
+ | su - zimbra -c "zmauditswatchctl $1 </dev/null" | ||
+ | } | ||
+ | |||
+ | case "$1" in | ||
+ | restart) | ||
+ | command stop | ||
+ | command start | ||
+ | RETVAL=$? | ||
+ | ;; | ||
+ | start) | ||
+ | command start | ||
+ | RETVAL=$? | ||
+ | ;; | ||
+ | stop) | ||
+ | command stop | ||
+ | RETVAL=$? | ||
+ | ;; | ||
+ | reload|status) | ||
+ | command $1 | ||
+ | RETVAL=$? | ||
+ | ;; | ||
+ | *) | ||
+ | echo $"Usage: $0 {start|stop|restart|reload|status}" | ||
+ | RETVAL=1 | ||
+ | esac | ||
+ | exit $RETVAL | ||
+ | </pre> | ||
+ | Copy the script into our init.d directory, and add it into the boot sequence: | ||
==== For RHEL/CentOS 5/6 or SLES 11: ==== | ==== For RHEL/CentOS 5/6 or SLES 11: ==== |
Revision as of 22:44, 4 October 2014
Article Information |
---|
This article applies to the following ZCS versions. |
Zmauditswatch
Description
Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.
Script Options Explanation
The script ships with 4 authentication failure checks.
- (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
- (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
- (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
- (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
- (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.
Default values
The default values of zmauditswatch are the next:
zimbra_swatch_ipacct_threshold=10 zimbra_swatch_acct_threshold=10 zimbra_swatch_ip_threshold=20 zimbra_swatch_total_threshold=100
Configuration
zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first. The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified.
zmlocalconfig -e zimbra_swatch_notice_user email@domain.com
You can change any of this numbers for accommodate to your environment:
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10 zmlocalconfig -e zimbra_swatch_acct_threshold=15 zmlocalconfig -e zimbra_swatch_ip_threshold=20 zmlocalconfig -e zimbra_swatch_total_threshold=60
Activate
zmauditswatch is very easy to activate once we configured everything, we just need to start the script:
zmauditswatchctl start
We can stop it
zmauditswatchctl stop
Show the status
zmauditswatchctl status
Activate it in Boot Sequence
For default zmauditswatch doesn't load at start-up, if we want to keep zmauditswatch activated also if the machine's reboot. We need to download this file Media:Zmauditswatch.tar or create by ourselves:
#!/bin/bash # Init file for zmauditswatchctl # # chkconfig: 345 99 01 # description: zmauditswatchctl service # ### BEGIN INIT INFO # Provides: zmauditswatch # Required-Start: $network $remote_fs $syslog $time nscd cron zimbra # Required-Stop: $network $remote_fs $syslog $time zimbra # Default-Start: 3 5 # Default-Stop: 0 1 6 # Description: zmauditswatchctl service ### END INIT INFO command() { su - zimbra -c "zmauditswatchctl $1 </dev/null" } case "$1" in restart) command stop command start RETVAL=$? ;; start) command start RETVAL=$? ;; stop) command stop RETVAL=$? ;; reload|status) command $1 RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|reload|status}" RETVAL=1 esac exit $RETVAL
Copy the script into our init.d directory, and add it into the boot sequence:
For RHEL/CentOS 5/6 or SLES 11:
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar tar xvf Zmauditswatch.tar cp zmauditswatch /etc/init.d/zmauditswatch chmod 755 /etc/init.d/zmauditswatch chkconfig zmauditswatch on
For Ubuntu:
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar tar xvf Zmauditswatch.tar cp zmauditswatch /etc/init.d/zmauditswatch chmod 755 /etc/init.d/zmauditswatch sudo update-rc.d zmauditswatch defaults sudo update-rc.d zmauditswatch enable
Examples
Web Client
We will try to attack our Zimbra Lab with one username and bad password, 10 times:
The result will be that the user can't do login anymore for 15 minutes:
The Zmauditswatchctl will send a notification to the email address that we defined before:
If we open the mail, we'll obtain more information
SMTP
Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.
The Zmauditswatch will send a notification to the email address that we defined before:
If we open the mail, we'll obtain more information
Log File
We can check into the log /opt/zimbra/log/zmauditswatch.out
zimbra@lab:~/bin$ tail -20 /opt/zimbra/log/zmauditswatch.out *** auditswatch version 3.2.3 (pid:24029) started at Wed Oct 1 11:51:31 CEST 2014 IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com Account failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for admin@labzimbra.zimbra.com
NOTE : Please configure with your own parameters the above script, it's an example.