Revision as of 12:54, 1 October 2014 by Jorge de la Cruz (talk | contribs)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.5 Article ZCS 8.5 ZCS 8.0 Article ZCS 8.0



Zmauditswatch notifies a specific e-mail address of a potential brute force attack if certain conditions are met. This powerful service can provides us a notification against brute force attacks, protecting our Zimbra Collaboration Infrastructure.


zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first.

We need to crate this two files for save the parameters in the next step:

touch /opt/zimbra/conf/auditswatchrc
touch /opt/zimbra/conf/

Once we have the previous files created, is time to configure the parameters of zmauditswatch:


You can change any of this numbers for accommodate to your Environment, read the next section for understand each command.

Script Options Explanation

The script ships with 4 authentication failure checks.

  • (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
  • (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
  • (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
  • (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
  • (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.


zmauditswatch is very easy to activate once we configured everything, we just need to start the script:

zmauditswatchctl start

We can stop it

zmauditswatchctl stop

Show the status

zmauditswatchctl status


Web Client

We will try to attack our Zimbra Lab with one username and bad password, 10 times: NEED IMAGE

The result will be that the user can't do login anymore: NEED IMAGE

The Zmauditswatchctl will send a notification to the email address that we defined before: Zmauditswatch-002.png

If we open the mail, we'll obtain more information Zmauditswatch-003.png


Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.

The Zmauditswatchctl will send a notification to the email address that we defined before: Zmauditswatch-004.png

If we open the mail, we'll obtain more information Zmauditswatch-005.png

Log File

We can check into the log /opt/zimbra/log/zmauditswatch.out

zimbra@lab:~/bin$ tail -20 /opt/zimbra/log/zmauditswatch.out
*** auditswatch version 3.2.3 (pid:24029) started at Wed Oct  1 11:51:31 CEST 2014

IP:Acct failure threshold exceeded: X.X.X.X
IP:Acct failure threshold exceeded: X.X.X.X
Account failure threshold exceeded: X.X.X.X
IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for

NOTE : Please configure with your own parameters the above script, it's an example. Consult the specific Release Notes for the version you upgraded to.

Jump to: navigation, search