|This article applies to the following ZCS versions.|
Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.
Script Options Explanation
The script ships with 4 authentication failure checks.
- (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
- (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
- (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
- (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
- (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.
The default values of zmauditswatch are the next, and they will come harcoded inside the file auditswatchrc.in :
zimbra_swatch_ipacct_threshold=10 zimbra_swatch_acct_threshold=10 zimbra_swatch_ip_threshold=20 zimbra_swatch_total_threshold=100
zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first.
Here is the parameters to configure zmauditswatch:
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10 zmlocalconfig -e zimbra_swatch_acct_threshold=15 zmlocalconfig -e zimbra_swatch_ip_threshold=20 zmlocalconfig -e zimbra_swatch_total_threshold=60 zmlocalconfig -e zimbra_swatch_notice_user email@example.com
You can change any of this numbers for accommodate to your Environment, read the next section for understand each command.
zmauditswatch is very easy to activate once we configured everything, we just need to start the script:
We can stop it
Show the status
Activate it in Boot Sequence
For default zmauditswatch doesn't load at start-up, if we want to keep zmauditswatch activated also if the machine's reboot. We need to download this file Media:Zmauditswatch.tar, copy into our init.d directory, and add it into the boot sequence:
For RHEL/CentOS 5/6 or SLES 11:
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar tar xvf Zmauditswatch.tar cp zmauditswatch /etc/init.d/zmauditswatch chmod 755 /etc/init.d/zmauditswatch chkconfig zmauditswatch on
wget https://wiki.zimbra.com/images/d/d9/Zmauditswatch.tar tar xvf Zmauditswatch.tar cp zmauditswatch /etc/init.d/zmauditswatch chmod 755 /etc/init.d/zmauditswatch sudo update-rc.d zmauditswatch defaults sudo update-rc.d zmauditswatch enable
Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.
We can check into the log /opt/zimbra/log/zmauditswatch.out
zimbra@lab:~/bin$ tail -20 /opt/zimbra/log/zmauditswatch.out *** auditswatch version 3.2.3 (pid:24029) started at Wed Oct 1 11:51:31 CEST 2014 IP:Acct failure threshold exceeded: X.X.X.X firstname.lastname@example.org IP:Acct failure threshold exceeded: X.X.X.X email@example.com Account failure threshold exceeded: X.X.X.X firstname.lastname@example.org IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for email@example.com
NOTE : Please configure with your own parameters the above script, it's an example. Consult the specific Release Notes for the version you upgraded to.