Zmauditswatch: Difference between revisions
No edit summary |
|||
(9 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
<div class="col-md-12 ibox-content"> | <div class="col-md-12 ibox-content"> | ||
=Zmauditswatch= | =Zmauditswatch= | ||
{{KB|{{ZC}}|{{ZCS 8. | {{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|}} | ||
= Zmauditswatch = | = Zmauditswatch = | ||
Line 40: | Line 39: | ||
zmlocalconfig -e zimbra_swatch_ip_threshold=20 | zmlocalconfig -e zimbra_swatch_ip_threshold=20 | ||
zmlocalconfig -e zimbra_swatch_total_threshold=60 | zmlocalconfig -e zimbra_swatch_total_threshold=60 | ||
zmlocalconfig -e zimbra_swatch_threshold_seconds=3600 | |||
</pre> | </pre> | ||
== Activate == | == Activate == | ||
'''zmauditswatch''' is very easy to activate once we configured everything, we just need to start the script: | '''zmauditswatch''' is very easy to activate once we configured everything, we just need to start the script: | ||
zmauditswatchctl start | |||
zmauditswatchctl start | |||
We can stop it | We can stop it | ||
zmauditswatchctl stop | |||
Show the status | Show the status | ||
<pre> | zmauditswatchctl status | ||
=== Workaround for ZCS 8.7.x === | |||
Starting Zimbra Collaboration 8.7, parts of the script was moved to another name, which leaded to an error while activating the zmauditswatch, please follow this steps after all the previous configuration ones, plus the zmauditswatchctl start: | |||
'''as root user''' | |||
wget http://bugzilla-attach.zimbra.com/attachment.cgi?id=66723 | |||
mv attachment.cgi\?id\=66723 auditswatch | |||
mv auditswatch /opt/zimbra/libexec/auditswatch | |||
chown root:root /opt/zimbra/libexec/auditswatch | |||
chmod 0755 /opt/zimbra/libexec/auditswatch | |||
'''as zimbra user''' | |||
zmauditswatchctl start | |||
zmauditswatchctl start...done | |||
In the case that you can't receive any zmauditswatch email, and you see the next on your logs: | |||
/opt/zimbra/data/tmp/.swatch_script.2721: cannot open pipe to : Broken pipe | |||
Please add the sendmail in Zimbra Collaboration 8.7 using the next: | |||
<pre>/usr/sbin/alternatives --install /usr/sbin/sendmail mta /opt/zimbra/common/sbin/sendmail 25 \ | |||
--slave /usr/bin/mailq mta-mailq /opt/zimbra/common/sbin/mailq \ | |||
--slave /usr/bin/newaliases mta-newaliases /opt/zimbra/common/sbin/newaliases \ | |||
--slave /usr/share/man/man1/mailq.1.gz mta-mailqman /opt/zimbra/common/share/man/man1/mailq.1 \ | |||
--slave /usr/share/man/man1/newaliases.1.gz mta-newaliasesman /opt/zimbra/common/share/man/man1/newaliases.1 \ | |||
--slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman /opt/zimbra/common/share/man/man1/sendmail.1 \ | |||
--slave /usr/share/man/man5/aliases.5.gz mta-aliasesman /opt/zimbra/common/share/man/man5/aliases.5 \ | |||
--initscript zimbra</pre> | |||
=== Activate it in Boot Sequence === | === Activate it in Boot Sequence === | ||
====Using Ubuntu 16.04 or CentOS with systemd==== | |||
Download the next file [https://zimbra.io/zmauditswatch.service zmauditswatch.service] and save it to the next path '''/etc/systemd/system/zmauditswatch.service''' it's very important that you don't have anything on the next path '''/etc/init.d/zmauditswatch''' | |||
The zmauditswatch.service looks like the next: | |||
<pre># systemd integration for Zimbra Zmauditswatch, cat this into /etc/systemd/system/zmauditswatch.service | |||
# And remove the /etc/init.d/zmauditswatch in the case you have it | |||
[Unit] | |||
Description=Zimbra Collaboration Suite Zmauditswatch | |||
After=syslog.target network.target | |||
[Service] | |||
Type=simple | |||
User=zimbra | |||
Group=zimbra | |||
ExecStart=/opt/zimbra/bin/zmauditswatchctl start | |||
ExecStop=/opt/zimbra/bin/zmauditswatchctl stop | |||
ExecReload=/opt/zimbra/bin/zmauditswatchctl restart | |||
TimeoutSec=500 | |||
[Install] | |||
WantedBy=multi-user.target</pre> | |||
You can follow this quick steps if you want to do enable it in a quick way: | |||
cd /etc/systemd/system/ | |||
wget https://zimbra.io/zmauditswatch.service | |||
sudo systemctl enable zmauditswatch | |||
Now you can manage your service as usual: | |||
systemctl start zmauditswatch | |||
systemctl stop zmauditswatch | |||
systemctl status zmauditswatch</pre> | |||
====Using Ubuntu 14.04 or CentOS 6==== | |||
For default '''zmauditswatch''' doesn't load at start-up, if we want to keep '''zmauditswatch''' activated also if the machine's reboot. We need to download this file [[Media:Zmauditswatch.tar]] or create by ourselves: | For default '''zmauditswatch''' doesn't load at start-up, if we want to keep '''zmauditswatch''' activated also if the machine's reboot. We need to download this file [[Media:Zmauditswatch.tar]] or create by ourselves: | ||
<pre> | <pre> | ||
Line 165: | Line 221: | ||
'''NOTE''' : Please configure with your own parameters the above script, it's an example. | '''NOTE''' : Please configure with your own parameters the above script, it's an example. | ||
{{Article_Footer|ZCS 8. | {{Article_Footer|ZCS 8.6 and 8.0|10/1/2014}} |
Latest revision as of 20:59, 1 December 2017
Zmauditswatch
Zmauditswatch
Description
Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.
Script Options Explanation
The script ships with 4 authentication failure checks.
- (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
- (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
- (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
- (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
- (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.
Default values
The default values of zmauditswatch are the next:
zimbra_swatch_ipacct_threshold=10 zimbra_swatch_acct_threshold=10 zimbra_swatch_ip_threshold=20 zimbra_swatch_total_threshold=100
Configuration
zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first. The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified.
zmlocalconfig -e zimbra_swatch_notice_user=email@domain.com
You can change any of this numbers for accommodate to your environment:
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10 zmlocalconfig -e zimbra_swatch_acct_threshold=15 zmlocalconfig -e zimbra_swatch_ip_threshold=20 zmlocalconfig -e zimbra_swatch_total_threshold=60 zmlocalconfig -e zimbra_swatch_threshold_seconds=3600
Activate
zmauditswatch is very easy to activate once we configured everything, we just need to start the script:
zmauditswatchctl start
We can stop it
zmauditswatchctl stop
Show the status
zmauditswatchctl status
Workaround for ZCS 8.7.x
Starting Zimbra Collaboration 8.7, parts of the script was moved to another name, which leaded to an error while activating the zmauditswatch, please follow this steps after all the previous configuration ones, plus the zmauditswatchctl start:
as root user
wget http://bugzilla-attach.zimbra.com/attachment.cgi?id=66723 mv attachment.cgi\?id\=66723 auditswatch mv auditswatch /opt/zimbra/libexec/auditswatch chown root:root /opt/zimbra/libexec/auditswatch chmod 0755 /opt/zimbra/libexec/auditswatch
as zimbra user
zmauditswatchctl start zmauditswatchctl start...done
In the case that you can't receive any zmauditswatch email, and you see the next on your logs:
/opt/zimbra/data/tmp/.swatch_script.2721: cannot open pipe to : Broken pipe
Please add the sendmail in Zimbra Collaboration 8.7 using the next:
/usr/sbin/alternatives --install /usr/sbin/sendmail mta /opt/zimbra/common/sbin/sendmail 25 \ --slave /usr/bin/mailq mta-mailq /opt/zimbra/common/sbin/mailq \ --slave /usr/bin/newaliases mta-newaliases /opt/zimbra/common/sbin/newaliases \ --slave /usr/share/man/man1/mailq.1.gz mta-mailqman /opt/zimbra/common/share/man/man1/mailq.1 \ --slave /usr/share/man/man1/newaliases.1.gz mta-newaliasesman /opt/zimbra/common/share/man/man1/newaliases.1 \ --slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman /opt/zimbra/common/share/man/man1/sendmail.1 \ --slave /usr/share/man/man5/aliases.5.gz mta-aliasesman /opt/zimbra/common/share/man/man5/aliases.5 \ --initscript zimbra
Activate it in Boot Sequence
Using Ubuntu 16.04 or CentOS with systemd
Download the next file zmauditswatch.service and save it to the next path /etc/systemd/system/zmauditswatch.service it's very important that you don't have anything on the next path /etc/init.d/zmauditswatch The zmauditswatch.service looks like the next:
# systemd integration for Zimbra Zmauditswatch, cat this into /etc/systemd/system/zmauditswatch.service # And remove the /etc/init.d/zmauditswatch in the case you have it [Unit] Description=Zimbra Collaboration Suite Zmauditswatch After=syslog.target network.target [Service] Type=simple User=zimbra Group=zimbra ExecStart=/opt/zimbra/bin/zmauditswatchctl start ExecStop=/opt/zimbra/bin/zmauditswatchctl stop ExecReload=/opt/zimbra/bin/zmauditswatchctl restart TimeoutSec=500 [Install] WantedBy=multi-user.target
You can follow this quick steps if you want to do enable it in a quick way:
cd /etc/systemd/system/ wget https://zimbra.io/zmauditswatch.service sudo systemctl enable zmauditswatch
Now you can manage your service as usual:
systemctl start zmauditswatch systemctl stop zmauditswatchsystemctl status zmauditswatch
Using Ubuntu 14.04 or CentOS 6
For default zmauditswatch doesn't load at start-up, if we want to keep zmauditswatch activated also if the machine's reboot. We need to download this file Media:Zmauditswatch.tar or create by ourselves:
#!/bin/bash # Init file for zmauditswatchctl # # chkconfig: 345 99 01 # description: zmauditswatchctl service # ### BEGIN INIT INFO # Provides: zmauditswatch # Required-Start: $network $remote_fs $syslog $time nscd cron zimbra # Required-Stop: $network $remote_fs $syslog $time zimbra # Default-Start: 3 5 # Default-Stop: 0 1 6 # Description: zmauditswatchctl service ### END INIT INFO command() { su - zimbra -c "zmauditswatchctl $1 </dev/null" } case "$1" in restart) command stop command start RETVAL=$? ;; start) command start RETVAL=$? ;; stop) command stop RETVAL=$? ;; reload|status) command $1 RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|reload|status}" RETVAL=1 esac exit $RETVAL
Copy the script into our init.d directory, and add it into the boot sequence:
For RHEL/CentOS 5/6 or SLES 11:
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar tar xvf Zmauditswatch.tar cp zmauditswatch /etc/init.d/zmauditswatch chmod 755 /etc/init.d/zmauditswatch chkconfig zmauditswatch on
For Ubuntu:
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar tar xvf Zmauditswatch.tar cp zmauditswatch /etc/init.d/zmauditswatch chmod 755 /etc/init.d/zmauditswatch sudo update-rc.d zmauditswatch defaults sudo update-rc.d zmauditswatch enable
Examples
Web Client
We will try to attack our Zimbra Lab with one username and bad password, 10 times:
The result will be that the user can't do login anymore for 15 minutes:
The Zmauditswatchctl will send a notification to the email address that we defined before:
If we open the mail, we'll obtain more information
SMTP
Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.
The Zmauditswatch will send a notification to the email address that we defined before:
If we open the mail, we'll obtain more information
Log File
We can check into the log /opt/zimbra/log/zmauditswatch.out
zimbra@lab:~/bin$ tail -20 /opt/zimbra/log/zmauditswatch.out *** auditswatch version 3.2.3 (pid:24029) started at Wed Oct 1 11:51:31 CEST 2014 IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com Account failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for admin@labzimbra.zimbra.com
NOTE : Please configure with your own parameters the above script, it's an example.