Zmauditswatch: Difference between revisions

No edit summary
No edit summary
Line 1: Line 1:
{{WIP}}{{Article Infobox|{{admin}}|{{ZCS 8.5}}||{{ZCS 8.0}}||{{ZCS 7.0}}|{{ZCS 6.0}}|{{ZCS 5.0}}}}
{{BC|Certified}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Zmauditswatch=
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
{{WIP}}


= Zmauditswatch =
= Zmauditswatch =
Line 121: Line 126:
=== Web Client ===
=== Web Client ===
We will try to attack our Zimbra Lab with one username and bad password, 10 times:
We will try to attack our Zimbra Lab with one username and bad password, 10 times:
[[File:Zmauditswatch-001.png‎]]
[[File:Zmauditswatch-001.png‎]]


The result will be that the user can't do login anymore for 15 minutes:
The result will be that the user can't do login anymore for 15 minutes:
[[File:Zmauditswatch-006.png‎]]
[[File:Zmauditswatch-006.png‎]]


The Zmauditswatchctl will send a notification to the email address that we defined before:
The Zmauditswatchctl will send a notification to the email address that we defined before:
[[File:Zmauditswatch-002.png‎]]
[[File:Zmauditswatch-002.png‎]]


If we open the mail, we'll obtain more information
If we open the mail, we'll obtain more information
[[File:Zmauditswatch-003.png]]
[[File:Zmauditswatch-003.png]]


Line 136: Line 145:


The Zmauditswatch will send a notification to the email address that we defined before:
The Zmauditswatch will send a notification to the email address that we defined before:
[[File:Zmauditswatch-004.png]]
[[File:Zmauditswatch-004.png]]


If we open the mail, we'll obtain more information
If we open the mail, we'll obtain more information
[[File:Zmauditswatch-005.png]]
[[File:Zmauditswatch-005.png]]



Revision as of 15:07, 13 July 2015

Zmauditswatch

   KB 21208        Last updated on 2015-07-13  




0.00
(0 votes)


Zmauditswatch

Description

Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.

Script Options Explanation

The script ships with 4 authentication failure checks.

  • (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
  • (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
  • (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
  • (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
  • (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.

Default values

The default values of zmauditswatch are the next:

zimbra_swatch_ipacct_threshold=10
zimbra_swatch_acct_threshold=10
zimbra_swatch_ip_threshold=20
zimbra_swatch_total_threshold=100

Configuration

zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first. The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified.

zmlocalconfig -e zimbra_swatch_notice_user=email@domain.com

You can change any of this numbers for accommodate to your environment:

zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60


Activate

zmauditswatch is very easy to activate once we configured everything, we just need to start the script:

zmauditswatchctl start

We can stop it

zmauditswatchctl stop

Show the status

zmauditswatchctl status

Activate it in Boot Sequence

For default zmauditswatch doesn't load at start-up, if we want to keep zmauditswatch activated also if the machine's reboot. We need to download this file Media:Zmauditswatch.tar‎ or create by ourselves:

#!/bin/bash
# Init file for zmauditswatchctl
#
# chkconfig: 345 99 01
# description: zmauditswatchctl service
#
### BEGIN INIT INFO
# Provides:       zmauditswatch
# Required-Start: $network $remote_fs $syslog $time nscd cron zimbra
# Required-Stop:  $network $remote_fs $syslog $time zimbra
# Default-Start:  3 5
# Default-Stop:   0 1 6
# Description:    zmauditswatchctl service
### END INIT INFO


command()
{
        su - zimbra -c "zmauditswatchctl $1 </dev/null"
}

case "$1" in
        restart)
                command stop
                command start
                RETVAL=$?
                ;;
        start)
                command start
                RETVAL=$?
                ;;
        stop)
                command stop
                RETVAL=$?
                ;;
        reload|status)
                command $1
                RETVAL=$?
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|reload|status}"
                RETVAL=1
esac
exit $RETVAL

Copy the script into our init.d directory, and add it into the boot sequence:

For RHEL/CentOS 5/6 or SLES 11:

wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar 
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
chkconfig zmauditswatch on

For Ubuntu:

wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar 
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
sudo update-rc.d zmauditswatch defaults
sudo update-rc.d zmauditswatch enable

Examples

Web Client

We will try to attack our Zimbra Lab with one username and bad password, 10 times:

Zmauditswatch-001.png

The result will be that the user can't do login anymore for 15 minutes:

Zmauditswatch-006.png

The Zmauditswatchctl will send a notification to the email address that we defined before:

Zmauditswatch-002.png

If we open the mail, we'll obtain more information

Zmauditswatch-003.png

SMTP

Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.

The Zmauditswatch will send a notification to the email address that we defined before:

Zmauditswatch-004.png

If we open the mail, we'll obtain more information

Zmauditswatch-005.png

Log File

We can check into the log /opt/zimbra/log/zmauditswatch.out

zimbra@lab:~/bin$ tail -20 /opt/zimbra/log/zmauditswatch.out
*** auditswatch version 3.2.3 (pid:24029) started at Wed Oct  1 11:51:31 CEST 2014

IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
Account failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for admin@labzimbra.zimbra.com


NOTE : Please configure with your own parameters the above script, it's an example.

Verified Against: ZCS 8.0.x & 8.5.x Date Created: 10/1/2014
Article ID: https://wiki.zimbra.com/index.php?title=Zmauditswatch Date Modified: 2015-07-13



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search