Revision as of 22:44, 4 October 2014

Article Information
This article applies to the following ZCS versions. ZCS 8.5 ZCS 8.0

Zmauditswatch

Description

Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.

Script Options Explanation

The script ships with 4 authentication failure checks.

• (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
• (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
• (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
• (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
• (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.

Default values

The default values of zmauditswatch are the next:

zimbra_swatch_ipacct_threshold=10
zimbra_swatch_acct_threshold=10
zimbra_swatch_ip_threshold=20
zimbra_swatch_total_threshold=100

Configuration

zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first. The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified.

zmlocalconfig -e zimbra_swatch_notice_user email@domain.com

You can change any of this numbers for accommodate to your environment:

zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60

Activate

zmauditswatch is very easy to activate once we configured everything, we just need to start the script:

zmauditswatchctl start

We can stop it

zmauditswatchctl stop

Show the status

zmauditswatchctl status

Activate it in Boot Sequence

For default zmauditswatch doesn't load at start-up, if we want to keep zmauditswatch activated also if the machine's reboot. We need to download this file Media:Zmauditswatch.tar‎ or create by ourselves:

#!/bin/bash
# Init file for zmauditswatchctl
#
# chkconfig: 345 99 01
# description: zmauditswatchctl service
#
### BEGIN INIT INFO
# Provides:       zmauditswatch
# Required-Start: $network $remote_fs $syslog $time nscd cron zimbra
# Required-Stop:  $network $remote_fs $syslog $time zimbra
# Default-Start:  3 5
# Default-Stop:   0 1 6
# Description:    zmauditswatchctl service
### END INIT INFO


command()
{
        su - zimbra -c "zmauditswatchctl $1 </dev/null"
}

case "$1" in
        restart)
                command stop
                command start
                RETVAL=$?
                ;;
        start)
                command start
                RETVAL=$?
                ;;
        stop)
                command stop
                RETVAL=$?
                ;;
        reload|status)
                command $1
                RETVAL=$?
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|reload|status}"
                RETVAL=1
esac
exit $RETVAL

Copy the script into our init.d directory, and add it into the boot sequence:

For RHEL/CentOS 5/6 or SLES 11:

wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar 
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
chkconfig zmauditswatch on

For Ubuntu:

wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar 
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
sudo update-rc.d zmauditswatch defaults
sudo update-rc.d zmauditswatch enable

Examples

Web Client

We will try to attack our Zimbra Lab with one username and bad password, 10 times:

The result will be that the user can't do login anymore for 15 minutes:

The Zmauditswatchctl will send a notification to the email address that we defined before:

If we open the mail, we'll obtain more information

SMTP

Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.

The Zmauditswatch will send a notification to the email address that we defined before:

If we open the mail, we'll obtain more information

Log File

We can check into the log /opt/zimbra/log/zmauditswatch.out

zimbra@lab:~/bin$ tail -20 /opt/zimbra/log/zmauditswatch.out
*** auditswatch version 3.2.3 (pid:24029) started at Wed Oct  1 11:51:31 CEST 2014

IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
Account failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for admin@labzimbra.zimbra.com

NOTE : Please configure with your own parameters the above script, it's an example.