Zmauditswatch: Difference between revisions

(Created page with "{{ZC}}{{Article Infobox|{{admin}}|{{ZCS 8.5}}||{{ZCS 8.0}}||{{ZCS 7.0}}|{{ZCS 6.0}}|{{ZCS 5.0}}}} = Zmauditswatch = == Description == Zmauditswatch notifies a specific e-ma...")
 
 
(23 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{ZC}}{{Article Infobox|{{admin}}|{{ZCS 8.5}}||{{ZCS 8.0}}||{{ZCS 7.0}}|{{ZCS 6.0}}|{{ZCS 5.0}}}}
{{BC|Certified}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Zmauditswatch=
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|}}


= Zmauditswatch =
= Zmauditswatch =
Line 5: Line 9:
== Description ==
== Description ==


Zmauditswatch notifies a specific e-mail address of a potential brute force attack if certain conditions are met.  
Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.
This powerful service can provides us a notification against brute force attacks, protecting our Zimbra Collaboration Infrastructure.
 
== Script Options Explanation ==
 
The script ships with 4 authentication failure checks.
* (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
* (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window.  Attempts to detect a distributed hijack based attack on a single account.
* (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows.  Attempts to detect a single host based attack across multiple accounts.
* (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds.  The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
* (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.
 
=== Default values ===
The default values of '''zmauditswatch''' are the next:
<pre>zimbra_swatch_ipacct_threshold=10
zimbra_swatch_acct_threshold=10
zimbra_swatch_ip_threshold=20
zimbra_swatch_total_threshold=100</pre>


== Configuration ==
== Configuration ==


zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first.
'''zmauditswatch''' should be run by the user "zimbra". For use '''zmauditswatch''' we need to configure it first.
The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified.
<pre>zmlocalconfig -e zimbra_swatch_notice_user=email@domain.com</pre>


We need to crate this two files for save the parameters in the next step:
You can change any of this numbers for accommodate to your environment:
<pre>
<pre>
touch /opt/zimbra/conf/auditswatchrc
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
touch /opt/zimbra/conf/auditswatchrc.in
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=3600
</pre>
</pre>


Once we have the previous files created, is time to configure the parameters of zmauditswatch:
== Activate ==
 
'''zmauditswatch''' is very easy to activate once we configured everything, we just need to start the script:
zmauditswatchctl start
 
We can stop it
zmauditswatchctl stop
Show the status
zmauditswatchctl status
 
=== Workaround for ZCS 8.7.x ===
Starting Zimbra Collaboration 8.7, parts of the script was moved to another name, which leaded to an error while activating the zmauditswatch, please follow this steps after all the previous configuration ones, plus the zmauditswatchctl start:
 
'''as root user'''
wget http://bugzilla-attach.zimbra.com/attachment.cgi?id=66723
mv attachment.cgi\?id\=66723 auditswatch
mv auditswatch  /opt/zimbra/libexec/auditswatch
chown root:root /opt/zimbra/libexec/auditswatch
chmod 0755 /opt/zimbra/libexec/auditswatch
 
'''as zimbra user'''
zmauditswatchctl start
zmauditswatchctl start...done
 
In the case that you can't receive any zmauditswatch email, and you see the next on your logs:
/opt/zimbra/data/tmp/.swatch_script.2721: cannot open pipe to : Broken pipe
 
Please add the sendmail in Zimbra Collaboration 8.7 using the next:
<pre>/usr/sbin/alternatives --install /usr/sbin/sendmail mta /opt/zimbra/common/sbin/sendmail 25 \
--slave /usr/bin/mailq mta-mailq /opt/zimbra/common/sbin/mailq \
--slave /usr/bin/newaliases mta-newaliases /opt/zimbra/common/sbin/newaliases \
--slave /usr/share/man/man1/mailq.1.gz mta-mailqman /opt/zimbra/common/share/man/man1/mailq.1 \
--slave /usr/share/man/man1/newaliases.1.gz mta-newaliasesman /opt/zimbra/common/share/man/man1/newaliases.1 \
--slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman /opt/zimbra/common/share/man/man1/sendmail.1 \
--slave /usr/share/man/man5/aliases.5.gz mta-aliasesman /opt/zimbra/common/share/man/man5/aliases.5 \
--initscript zimbra</pre>
 
=== Activate it in Boot Sequence ===
====Using Ubuntu 16.04 or CentOS with systemd====
Download the next file [https://zimbra.io/zmauditswatch.service zmauditswatch.service] and save it to the next path  '''/etc/systemd/system/zmauditswatch.service''' it's very important that you don't have anything on the next path  '''/etc/init.d/zmauditswatch'''
The zmauditswatch.service looks like the next:
<pre># systemd integration for Zimbra Zmauditswatch, cat this into /etc/systemd/system/zmauditswatch.service
# And remove the /etc/init.d/zmauditswatch in the case you have it
[Unit]
Description=Zimbra Collaboration Suite Zmauditswatch
After=syslog.target network.target
 
[Service]
Type=simple
User=zimbra
Group=zimbra
ExecStart=/opt/zimbra/bin/zmauditswatchctl start
ExecStop=/opt/zimbra/bin/zmauditswatchctl stop
ExecReload=/opt/zimbra/bin/zmauditswatchctl restart
 
TimeoutSec=500
 
[Install]
WantedBy=multi-user.target</pre>
You can follow this quick steps if you want to do enable it in a quick way:
cd /etc/systemd/system/
wget https://zimbra.io/zmauditswatch.service
sudo systemctl enable zmauditswatch
 
Now you can manage your service as usual:
systemctl start zmauditswatch
systemctl stop zmauditswatch
systemctl status zmauditswatch</pre>
 
====Using Ubuntu 14.04 or CentOS 6====
For default '''zmauditswatch''' doesn't load at start-up, if we want to keep '''zmauditswatch''' activated also if the machine's reboot. We need to download this file [[Media:Zmauditswatch.tar‎]] or create by ourselves:
<pre>
<pre>
zimbra_swatch_ipacct_threshold=10
#!/bin/bash
zimbra_swatch_acct_threshold=15
# Init file for zmauditswatchctl
zimbra_swatch_ip_threshold=20
#
zimbra_swatch_total_threshold=60
# chkconfig: 345 99 01
zimbra_swatch_notice_user email@domain.com
# description: zmauditswatchctl service
</pre>
#
### BEGIN INIT INFO
# Provides:      zmauditswatch
# Required-Start: $network $remote_fs $syslog $time nscd cron zimbra
# Required-Stop:  $network $remote_fs $syslog $time zimbra
# Default-Start:  3 5
# Default-Stop:  0 1 6
# Description:    zmauditswatchctl service
### END INIT INFO


You can change any of this numbers for accommodate to your Environment, read the next section for understand each command.


== Script Options Explanation ==
command()
{
        su - zimbra -c "zmauditswatchctl $1 </dev/null"
}


The script ships with 4 authentication failure checks.
case "$1" in
* (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
        restart)
* (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window.  Attempts to detect a distributed hijack based attack on a single account.
                command stop
* (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows.  Attempts to detect a single host based attack across multiple accounts.
                command start
* (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds.  The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
                RETVAL=$?
* (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.
                ;;
        start)
                command start
                RETVAL=$?
                ;;
        stop)
                command stop
                RETVAL=$?
                ;;
        reload|status)
                command $1
                RETVAL=$?
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|reload|status}"
                RETVAL=1
esac
exit $RETVAL
</pre>
Copy the script into our init.d directory, and add it into the boot sequence:


== Activate ==
==== For RHEL/CentOS 5/6 or SLES 11: ====
<pre>
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
chkconfig zmauditswatch on</pre>


zmauditswatch is very easy to activate once we configured everything, we just need to start the script:
==== For Ubuntu: ====
<pre>
<pre>
zmauditswatchctl start
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
sudo update-rc.d zmauditswatch defaults
sudo update-rc.d zmauditswatch enable
</pre>
</pre>


We can stop it
== Examples ==
<pre>zmauditswatchctl stop</pre>
=== Web Client ===
We will try to attack our Zimbra Lab with one username and bad password, 10 times:


Show the status
[[File:Zmauditswatch-001.png‎]]
<pre>zmauditswatchctl status</pre>


== Example ==
The result will be that the user can't do login anymore for 15 minutes:
We will try to attack our Zimbra Lab with one username and bad password, 10 times:
NEED IMAGE


The result will be that the user can't do login anymore:
[[File:Zmauditswatch-006.png‎]]
NEED IMAGE


The Zmauditswatchctl will send a notification to the email address that we defined before:
The Zmauditswatchctl will send a notification to the email address that we defined before:
[[File:Zmauditswatch-002.png‎]]
[[File:Zmauditswatch-002.png‎]]


If we open the mail, we'll obtain more information
If we open the mail, we'll obtain more information
[[File:Zmauditswatch-003.png]]
[[File:Zmauditswatch-003.png]]
=== SMTP ===
Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With '''zmauditswatch''' enabled, we will be capable of obtain a email notification if we have an attack under SMTP.
The Zmauditswatch will send a notification to the email address that we defined before:
[[File:Zmauditswatch-004.png]]
If we open the mail, we'll obtain more information
[[File:Zmauditswatch-005.png]]


== Log File ==
== Log File ==
Line 69: Line 213:
*** auditswatch version 3.2.3 (pid:24029) started at Wed Oct  1 11:51:31 CEST 2014
*** auditswatch version 3.2.3 (pid:24029) started at Wed Oct  1 11:51:31 CEST 2014


IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com</pre>
IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
Account failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for admin@labzimbra.zimbra.com</pre>
 


'''NOTE''' : Please configure with your own parameters the above script, it's an example.


'''NOTE''' : Please configure with your own parameters the above script, it's an example. Consult the specific Release Notes for the version you upgraded to.
{{Article_Footer|ZCS  8.6 and 8.0|10/1/2014}}

Latest revision as of 20:59, 1 December 2017

Zmauditswatch

   KB 21208        Last updated on 2017-12-1  




0.00
(0 votes)

Zmauditswatch

Description

Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.

Script Options Explanation

The script ships with 4 authentication failure checks.

  • (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
  • (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
  • (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
  • (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
  • (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.

Default values

The default values of zmauditswatch are the next:

zimbra_swatch_ipacct_threshold=10
zimbra_swatch_acct_threshold=10
zimbra_swatch_ip_threshold=20
zimbra_swatch_total_threshold=100

Configuration

zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first. The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified.

zmlocalconfig -e zimbra_swatch_notice_user=email@domain.com

You can change any of this numbers for accommodate to your environment:

zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=3600

Activate

zmauditswatch is very easy to activate once we configured everything, we just need to start the script:

zmauditswatchctl start

We can stop it

zmauditswatchctl stop

Show the status

zmauditswatchctl status

Workaround for ZCS 8.7.x

Starting Zimbra Collaboration 8.7, parts of the script was moved to another name, which leaded to an error while activating the zmauditswatch, please follow this steps after all the previous configuration ones, plus the zmauditswatchctl start:

as root user

wget http://bugzilla-attach.zimbra.com/attachment.cgi?id=66723
mv attachment.cgi\?id\=66723 auditswatch
mv auditswatch  /opt/zimbra/libexec/auditswatch
chown root:root /opt/zimbra/libexec/auditswatch
chmod 0755 /opt/zimbra/libexec/auditswatch

as zimbra user

zmauditswatchctl start
zmauditswatchctl start...done

In the case that you can't receive any zmauditswatch email, and you see the next on your logs:

/opt/zimbra/data/tmp/.swatch_script.2721: cannot open pipe to : Broken pipe

Please add the sendmail in Zimbra Collaboration 8.7 using the next:

/usr/sbin/alternatives --install /usr/sbin/sendmail mta /opt/zimbra/common/sbin/sendmail 25 \
 --slave /usr/bin/mailq mta-mailq /opt/zimbra/common/sbin/mailq \
 --slave /usr/bin/newaliases mta-newaliases /opt/zimbra/common/sbin/newaliases \
--slave /usr/share/man/man1/mailq.1.gz mta-mailqman /opt/zimbra/common/share/man/man1/mailq.1 \
--slave /usr/share/man/man1/newaliases.1.gz mta-newaliasesman /opt/zimbra/common/share/man/man1/newaliases.1 \
--slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman /opt/zimbra/common/share/man/man1/sendmail.1 \
--slave /usr/share/man/man5/aliases.5.gz mta-aliasesman /opt/zimbra/common/share/man/man5/aliases.5 \
--initscript zimbra

Activate it in Boot Sequence

Using Ubuntu 16.04 or CentOS with systemd

Download the next file zmauditswatch.service and save it to the next path /etc/systemd/system/zmauditswatch.service it's very important that you don't have anything on the next path /etc/init.d/zmauditswatch The zmauditswatch.service looks like the next:

# systemd integration for Zimbra Zmauditswatch, cat this into /etc/systemd/system/zmauditswatch.service
# And remove the /etc/init.d/zmauditswatch in the case you have it
[Unit]
Description=Zimbra Collaboration Suite Zmauditswatch
After=syslog.target network.target

[Service]
Type=simple
User=zimbra
Group=zimbra
ExecStart=/opt/zimbra/bin/zmauditswatchctl start
ExecStop=/opt/zimbra/bin/zmauditswatchctl stop
ExecReload=/opt/zimbra/bin/zmauditswatchctl restart

TimeoutSec=500

[Install]
WantedBy=multi-user.target

You can follow this quick steps if you want to do enable it in a quick way:

cd /etc/systemd/system/
wget https://zimbra.io/zmauditswatch.service
sudo systemctl enable zmauditswatch

Now you can manage your service as usual:

systemctl start zmauditswatch
systemctl stop zmauditswatch
systemctl status zmauditswatch

Using Ubuntu 14.04 or CentOS 6

For default zmauditswatch doesn't load at start-up, if we want to keep zmauditswatch activated also if the machine's reboot. We need to download this file Media:Zmauditswatch.tar‎ or create by ourselves:

#!/bin/bash
# Init file for zmauditswatchctl
#
# chkconfig: 345 99 01
# description: zmauditswatchctl service
#
### BEGIN INIT INFO
# Provides:       zmauditswatch
# Required-Start: $network $remote_fs $syslog $time nscd cron zimbra
# Required-Stop:  $network $remote_fs $syslog $time zimbra
# Default-Start:  3 5
# Default-Stop:   0 1 6
# Description:    zmauditswatchctl service
### END INIT INFO


command()
{
        su - zimbra -c "zmauditswatchctl $1 </dev/null"
}

case "$1" in
        restart)
                command stop
                command start
                RETVAL=$?
                ;;
        start)
                command start
                RETVAL=$?
                ;;
        stop)
                command stop
                RETVAL=$?
                ;;
        reload|status)
                command $1
                RETVAL=$?
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|reload|status}"
                RETVAL=1
esac
exit $RETVAL

Copy the script into our init.d directory, and add it into the boot sequence:

For RHEL/CentOS 5/6 or SLES 11:

wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar 
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
chkconfig zmauditswatch on

For Ubuntu:

wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar 
tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
sudo update-rc.d zmauditswatch defaults
sudo update-rc.d zmauditswatch enable

Examples

Web Client

We will try to attack our Zimbra Lab with one username and bad password, 10 times:

Zmauditswatch-001.png

The result will be that the user can't do login anymore for 15 minutes:

Zmauditswatch-006.png

The Zmauditswatchctl will send a notification to the email address that we defined before:

Zmauditswatch-002.png

If we open the mail, we'll obtain more information

Zmauditswatch-003.png

SMTP

Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.

The Zmauditswatch will send a notification to the email address that we defined before:

Zmauditswatch-004.png

If we open the mail, we'll obtain more information

Zmauditswatch-005.png

Log File

We can check into the log /opt/zimbra/log/zmauditswatch.out

zimbra@lab:~/bin$ tail -20 /opt/zimbra/log/zmauditswatch.out
*** auditswatch version 3.2.3 (pid:24029) started at Wed Oct  1 11:51:31 CEST 2014

IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
Account failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com
IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for admin@labzimbra.zimbra.com


NOTE : Please configure with your own parameters the above script, it's an example.

Verified Against: ZCS 8.6 and 8.0 Date Created: 10/1/2014
Article ID: https://wiki.zimbra.com/index.php?title=Zmauditswatch Date Modified: 2017-12-01



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search