Zmauditswatch
Zmauditswatch
Zmauditswatch
Description
Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.
Script Options Explanation
The script ships with 4 authentication failure checks.
- (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
- (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
- (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
- (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
- (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.
Default values
The default values of zmauditswatch are the next:
zimbra_swatch_ipacct_threshold=10 zimbra_swatch_acct_threshold=10 zimbra_swatch_ip_threshold=20 zimbra_swatch_total_threshold=100
Configuration
zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first. The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified.
zmlocalconfig -e zimbra_swatch_notice_user=email@domain.com
You can change any of this numbers for accommodate to your environment:
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10 zmlocalconfig -e zimbra_swatch_acct_threshold=15 zmlocalconfig -e zimbra_swatch_ip_threshold=20 zmlocalconfig -e zimbra_swatch_total_threshold=60 zmlocalconfig -e zimbra_swatch_threshold_seconds=3600
Activate
Note: In ZCS 8.7 we have the next Known Issue so you need to run this command before start zmauditswatchctl:
ln -s /opt/zimbra/bin/zmauditswatchctl /opt/zimbra/libexec/auditswatch
zmauditswatch is very easy to activate once we configured everything, we just need to start the script:
zmauditswatchctl start
We can stop it
zmauditswatchctl stop
Show the status
zmauditswatchctl status
Activate it in Boot Sequence
For default zmauditswatch doesn't load at start-up, if we want to keep zmauditswatch activated also if the machine's reboot. We need to download this file Media:Zmauditswatch.tar or create by ourselves:
#!/bin/bash # Init file for zmauditswatchctl # # chkconfig: 345 99 01 # description: zmauditswatchctl service # ### BEGIN INIT INFO # Provides: zmauditswatch # Required-Start: $network $remote_fs $syslog $time nscd cron zimbra # Required-Stop: $network $remote_fs $syslog $time zimbra # Default-Start: 3 5 # Default-Stop: 0 1 6 # Description: zmauditswatchctl service ### END INIT INFO command() { su - zimbra -c "zmauditswatchctl $1 </dev/null" } case "$1" in restart) command stop command start RETVAL=$? ;; start) command start RETVAL=$? ;; stop) command stop RETVAL=$? ;; reload|status) command $1 RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|reload|status}" RETVAL=1 esac exit $RETVAL
Copy the script into our init.d directory, and add it into the boot sequence:
For RHEL/CentOS 5/6 or SLES 11:
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar tar xvf Zmauditswatch.tar cp zmauditswatch /etc/init.d/zmauditswatch chmod 755 /etc/init.d/zmauditswatch chkconfig zmauditswatch on
For Ubuntu:
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar tar xvf Zmauditswatch.tar cp zmauditswatch /etc/init.d/zmauditswatch chmod 755 /etc/init.d/zmauditswatch sudo update-rc.d zmauditswatch defaults sudo update-rc.d zmauditswatch enable
Examples
Web Client
We will try to attack our Zimbra Lab with one username and bad password, 10 times:
The result will be that the user can't do login anymore for 15 minutes:
The Zmauditswatchctl will send a notification to the email address that we defined before:
If we open the mail, we'll obtain more information
SMTP
Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.
The Zmauditswatch will send a notification to the email address that we defined before:
If we open the mail, we'll obtain more information
Log File
We can check into the log /opt/zimbra/log/zmauditswatch.out
zimbra@lab:~/bin$ tail -20 /opt/zimbra/log/zmauditswatch.out *** auditswatch version 3.2.3 (pid:24029) started at Wed Oct 1 11:51:31 CEST 2014 IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com IP:Acct failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com Account failure threshold exceeded: X.X.X.X admin@labzimbra.zimbra.com IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for admin@labzimbra.zimbra.com
NOTE : Please configure with your own parameters the above script, it's an example.