Zmauditswatch: Difference between revisions

No edit summary
No edit summary
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{WIP}}{{Article Infobox|{{admin}}|{{ZCS 8.5}}||{{ZCS 8.0}}||{{ZCS 7.0}}|{{ZCS 6.0}}|{{ZCS 5.0}}}}
{{BC|Certified}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Zmauditswatch=
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
{{WIP}}


= Zmauditswatch =
= Zmauditswatch =
Line 5: Line 10:
== Description ==
== Description ==


Zmauditswatch notifies a specific e-mail address of a potential brute force attack if certain conditions are met.
Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.
This powerful service can provides us a notification against brute force attacks, protecting our Zimbra Collaboration Infrastructure.
 
== Configuration ==
 
zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first.
 
Here is the parameters to configure zmauditswatch:
<pre>
zimbra_swatch_ipacct_threshold=10
zimbra_swatch_acct_threshold=15
zimbra_swatch_ip_threshold=20
zimbra_swatch_total_threshold=60
zimbra_swatch_notice_user email@domain.com
</pre>
 
You can change any of this numbers for accommodate to your Environment, read the next section for understand each command.


== Script Options Explanation ==
== Script Options Explanation ==
Line 31: Line 20:
* (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds.  The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
* (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds.  The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
* (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.
* (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.
=== Default values ===
The default values of '''zmauditswatch''' are the next:
<pre>zimbra_swatch_ipacct_threshold=10
zimbra_swatch_acct_threshold=10
zimbra_swatch_ip_threshold=20
zimbra_swatch_total_threshold=100</pre>
== Configuration ==
'''zmauditswatch''' should be run by the user "zimbra". For use '''zmauditswatch''' we need to configure it first.
The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified.
<pre>zmlocalconfig -e zimbra_swatch_notice_user=email@domain.com</pre>
You can change any of this numbers for accommodate to your environment:
<pre>
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=3600
</pre>


== Activate ==
== Activate ==


zmauditswatch is very easy to activate once we configured everything, we just need to start the script:
'''zmauditswatch''' is very easy to activate once we configured everything, we just need to start the script:
<pre>
<pre>
zmauditswatchctl start
zmauditswatchctl start
Line 41: Line 52:
We can stop it
We can stop it
<pre>zmauditswatchctl stop</pre>
<pre>zmauditswatchctl stop</pre>
Show the status
Show the status
<pre>zmauditswatchctl status</pre>
<pre>zmauditswatchctl status</pre>
=== Activate it in Boot Sequence ===
For default '''zmauditswatch''' doesn't load at start-up, if we want to keep '''zmauditswatch''' activated also if the machine's reboot. We need to download this file [[Media:Zmauditswatch.tar‎]] or create by ourselves:
<pre>
#!/bin/bash
# Init file for zmauditswatchctl
#
# chkconfig: 345 99 01
# description: zmauditswatchctl service
#
### BEGIN INIT INFO
# Provides:      zmauditswatch
# Required-Start: $network $remote_fs $syslog $time nscd cron zimbra
# Required-Stop:  $network $remote_fs $syslog $time zimbra
# Default-Start:  3 5
# Default-Stop:  0 1 6
# Description:    zmauditswatchctl service
### END INIT INFO
command()
{
        su - zimbra -c "zmauditswatchctl $1 </dev/null"
}
case "$1" in
        restart)
                command stop
                command start
                RETVAL=$?
                ;;
        start)
                command start
                RETVAL=$?
                ;;
        stop)
                command stop
                RETVAL=$?
                ;;
        reload|status)
                command $1
                RETVAL=$?
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|reload|status}"
                RETVAL=1
esac
exit $RETVAL
</pre>
Copy the script into our init.d directory, and add it into the boot sequence:
==== For RHEL/CentOS 5/6 or SLES 11: ====
<pre>
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
chkconfig zmauditswatch on</pre>
==== For Ubuntu: ====
<pre>
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
sudo update-rc.d zmauditswatch defaults
sudo update-rc.d zmauditswatch enable
</pre>


== Examples ==
== Examples ==
=== Web Client ===
=== Web Client ===
We will try to attack our Zimbra Lab with one username and bad password, 10 times:
We will try to attack our Zimbra Lab with one username and bad password, 10 times:
[[File:Zmauditswatch-001.png‎]]
[[File:Zmauditswatch-001.png‎]]


The result will be that the user can't do login anymore for 15 minutes:
The result will be that the user can't do login anymore for 15 minutes:
[[File:Zmauditswatch-006.png‎]]
[[File:Zmauditswatch-006.png‎]]


The Zmauditswatchctl will send a notification to the email address that we defined before:
The Zmauditswatchctl will send a notification to the email address that we defined before:
[[File:Zmauditswatch-002.png‎]]
[[File:Zmauditswatch-002.png‎]]


If we open the mail, we'll obtain more information
If we open the mail, we'll obtain more information
[[File:Zmauditswatch-003.png]]
[[File:Zmauditswatch-003.png]]


=== SMTP ===
=== SMTP ===
Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.
Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With '''zmauditswatch''' enabled, we will be capable of obtain a email notification if we have an attack under SMTP.
 
The Zmauditswatch will send a notification to the email address that we defined before:


The Zmauditswatchctl will send a notification to the email address that we defined before:
[[File:Zmauditswatch-004.png]]
[[File:Zmauditswatch-004.png]]


If we open the mail, we'll obtain more information
If we open the mail, we'll obtain more information
[[File:Zmauditswatch-005.png]]
[[File:Zmauditswatch-005.png]]


Line 79: Line 163:




'''NOTE''' : Please configure with your own parameters the above script, it's an example. Consult the specific Release Notes for the version you upgraded to.
'''NOTE''' : Please configure with your own parameters the above script, it's an example.  
 


{{Article_Footer|ZCS 8.0.x & 8.5.x|10/1/2014}}
{{Article_Footer|ZCS 8.6 and 8.0|10/1/2014}}

Revision as of 12:35, 1 September 2016

Zmauditswatch

   KB 21208        Last updated on 2016-09-1  




0.00
(0 votes)


Zmauditswatch

Description

Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.

Script Options Explanation

The script ships with 4 authentication failure checks.

  • (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
  • (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
  • (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
  • (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
  • (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.

Default values

The default values of zmauditswatch are the next:

zimbra_swatch_ipacct_threshold=10
zimbra_swatch_acct_threshold=10
zimbra_swatch_ip_threshold=20
zimbra_swatch_total_threshold=100

Configuration

zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first. The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified.

zmlocalconfig -e zimbra_swatch_notice_user=email@domain.com

You can change any of this numbers for accommodate to your environment:

zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=3600

Activate

zmauditswatch is very easy to activate once we configured everything, we just need to start the script:

zmauditswatchctl start

We can stop it

zmauditswatchctl stop

Show the status

zmauditswatchctl status

Activate it in Boot Sequence

For default zmauditswatch doesn't load at start-up, if we want to keep zmauditswatch activated also if the machine's reboot. We need to download this file Media:Zmauditswatch.tar‎ or create by ourselves:

#!/bin/bash
# Init file for zmauditswatchctl
#
# chkconfig: 345 99 01
# description: zmauditswatchctl service
#
### BEGIN INIT INFO
# Provides:       zmauditswatch
# Required-Start: $network $remote_fs $syslog $time nscd cron zimbra
# Required-Stop:  $network $remote_fs $syslog $time zimbra
# Default-Start:  3 5
# Default-Stop:   0 1 6
# Description:    zmauditswatchctl service
### END INIT INFO


command()
{
        su - zimbra -c "zmauditswatchctl $1 </dev/null"
}

case "$1" in
        restart)
                command stop
                command start
                RETVAL=$?
                ;;
        start)
                command start
                RETVAL=$?
                ;;
        stop)
                command stop
                RETVAL=$?
                ;;
        reload|status)
                command $1
                RETVAL=$?
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|reload|status}"
                RETVAL=1
esac
exit $RETVAL

Copy the script into our init.d directory, and add it into the boot sequence:

For RHEL/CentOS 5/6 or SLES 11:

wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar 
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
chkconfig zmauditswatch on

For Ubuntu:

wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar 
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
sudo update-rc.d zmauditswatch defaults
sudo update-rc.d zmauditswatch enable

Examples

Web Client

We will try to attack our Zimbra Lab with one username and bad password, 10 times:

Zmauditswatch-001.png

The result will be that the user can't do login anymore for 15 minutes:

Zmauditswatch-006.png

The Zmauditswatchctl will send a notification to the email address that we defined before:

Zmauditswatch-002.png

If we open the mail, we'll obtain more information

Zmauditswatch-003.png

SMTP

Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.

The Zmauditswatch will send a notification to the email address that we defined before:

Zmauditswatch-004.png

If we open the mail, we'll obtain more information

Zmauditswatch-005.png

Log File

We can check into the log /opt/zimbra/log/zmauditswatch.out

zimbra@lab:~/bin$ tail -20 /opt/zimbra/log/zmauditswatch.out
*** auditswatch version 3.2.3 (pid:24029) started at Wed Oct  1 11:51:31 CEST 2014

IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
Account failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for admin@labzimbra.zimbra.com


NOTE : Please configure with your own parameters the above script, it's an example.

Verified Against: ZCS 8.6 and 8.0 Date Created: 10/1/2014
Article ID: https://wiki.zimbra.com/index.php?title=Zmauditswatch Date Modified: 2016-09-01



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search