Revision as of 22:44, 4 October 2014 by Jorge de la Cruz (talk | contribs)

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.5 Article ZCS 8.5ZCS 8.0 Article ZCS 8.0



Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.

Script Options Explanation

The script ships with 4 authentication failure checks.

  • (zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
  • (zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
  • (zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
  • (zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.
  • (zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.

Default values

The default values of zmauditswatch are the next:



zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first. The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified.

zmlocalconfig -e zimbra_swatch_notice_user

You can change any of this numbers for accommodate to your environment:

zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60


zmauditswatch is very easy to activate once we configured everything, we just need to start the script:

zmauditswatchctl start

We can stop it

zmauditswatchctl stop

Show the status

zmauditswatchctl status

Activate it in Boot Sequence

For default zmauditswatch doesn't load at start-up, if we want to keep zmauditswatch activated also if the machine's reboot. We need to download this file Media:Zmauditswatch.tar‎ or create by ourselves:

# Init file for zmauditswatchctl
# chkconfig: 345 99 01
# description: zmauditswatchctl service
# Provides:       zmauditswatch
# Required-Start: $network $remote_fs $syslog $time nscd cron zimbra
# Required-Stop:  $network $remote_fs $syslog $time zimbra
# Default-Start:  3 5
# Default-Stop:   0 1 6
# Description:    zmauditswatchctl service

        su - zimbra -c "zmauditswatchctl $1 </dev/null"

case "$1" in
                command stop
                command start
                command start
                command stop
                command $1
                echo $"Usage: $0 {start|stop|restart|reload|status}"
exit $RETVAL

Copy the script into our init.d directory, and add it into the boot sequence:

For RHEL/CentOS 5/6 or SLES 11:

tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
chkconfig zmauditswatch on

For Ubuntu:

tar xvf Zmauditswatch.tar
cp zmauditswatch /etc/init.d/zmauditswatch
chmod 755 /etc/init.d/zmauditswatch
sudo update-rc.d zmauditswatch defaults
sudo update-rc.d zmauditswatch enable


Web Client

We will try to attack our Zimbra Lab with one username and bad password, 10 times: Zmauditswatch-001.png

The result will be that the user can't do login anymore for 15 minutes: Zmauditswatch-006.png

The Zmauditswatchctl will send a notification to the email address that we defined before: Zmauditswatch-002.png

If we open the mail, we'll obtain more information Zmauditswatch-003.png


Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.

The Zmauditswatch will send a notification to the email address that we defined before: Zmauditswatch-004.png

If we open the mail, we'll obtain more information Zmauditswatch-005.png

Log File

We can check into the log /opt/zimbra/log/zmauditswatch.out

zimbra@lab:~/bin$ tail -20 /opt/zimbra/log/zmauditswatch.out
*** auditswatch version 3.2.3 (pid:24029) started at Wed Oct  1 11:51:31 CEST 2014

IP:Acct failure threshold exceeded: X.X.X.X
IP:Acct failure threshold exceeded: X.X.X.X
Account failure threshold exceeded: X.X.X.X
IP failure threshold exceeded: X.X.X.X exceeded threshold on failure for

NOTE : Please configure with your own parameters the above script, it's an example.

Verified Against: ZCS 8.0.x & 8.5.x Date Created: 10/1/2014
Article ID: Date Modified: 2014-10-04

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search