Configure zmauditswatch to get authentication failure notifications

Configure zmauditswatch to get authentication failure notifications

   KB 24186        Last updated on 2020-12-13  

(0 votes)

This wiki article is valid for ZCS 8.7.x, 8.8.x, and 9.0 versions with RHEL/CentOS 7/8 and Ubuntu 16/18.


Starting with ZCS v8.7.x, the zmauditswatch tool was broken.
Here we will configure the zmauditswatch tool to detect brute force attacks for any hosted account using the authentication failure log entries.

Localconfig Keys Description

These are the authentication failure checks controlled by the localconfig keys.

zimbra_swatch_notice_user: The email address that we want to be worn when all the conditions happens.
zimbra_swatch_ipacct_threshold: IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.
zimbra_swatch_acct_threshold: Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.
zimbra_swatch_ip_threshold: IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.
zimbra_swatch_total_threshold: Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.

Default Values

These are the default values shipped within the script "/opt/zimbra/bin/zmauditswatchctl".



1) Download and extract the zmauditswatch.patch.tgz file under the /tmp/ directory, and then copy the extracted files at the required path.

[Run as 'root'] 
wget -O /tmp/zmauditswatch.patch.tar.gz
tar xvf /tmp/zmauditswatch.patch.tar.gz -C /tmp/
cd /tmp/zmauditswatch.patch/ 
cp zmauditswatch.service /etc/systemd/system/zmauditswatch.service 
cp auditswatch /opt/zimbra/libexec/auditswatch
chown root:root /etc/systemd/system/zmauditswatch.service /opt/zimbra/libexec/auditswatch 
chmod 644 /etc/systemd/system/zmauditswatch.service  
chmod 755 /opt/zimbra/libexec/auditswatch

2) Set email-id to receiving notification.

su - zimbra 
zmlocalconfig -e zimbra_swatch_notice_user=""

3) Configure threshold values. You can configure these values according to your requirement.

su - zimbra 
zmlocalconfig -e zimbra_swatch_ipacct_threshold=5
zmlocalconfig -e zimbra_swatch_acct_threshold=5 
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=3600

4) Initially the following files are not present. Using "touch" command we have to create empty files.

su - zimbra 
touch /opt/zimbra/conf/auditswatchrc 
touch /opt/zimbra/log/zmauditswatch.out 

5) Test the zmauditswatch service and configure it to start at boot time.

[Run as 'root'] 
systemctl enable zmauditswatch
systemctl start zmauditswatch
systemctl status zmauditswatch 
systemctl restart zmauditswatch
systemctl status zmauditswatch  

6) Checking service status will show the result similar to the following.

[root@centos8 ~]# systemctl status zmauditswatch
 zmauditswatch.service - Zimbra Collaboration Suite Zmauditswatch
   Loaded: loaded (/etc/systemd/system/zmauditswatch.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2020-12-13 17:54:10 EST; 3s ago
  Process: 123018 ExecStop=/opt/zimbra/bin/zmauditswatchctl stop (code=exited, status=0/SUCCESS)
  Process: 123075 ExecStart=/opt/zimbra/bin/zmauditswatchctl start (code=exited, status=0/SUCCESS)
 Main PID: 123247 (auditswatch)
    Tasks: 2 (limit: 49500)
   Memory: 29.2M
   CGroup: /system.slice/zmauditswatch.service
           ├─123247 /usr/bin/perl /opt/zimbra/libexec/auditswatch --config-file=/opt/zimbra/conf/auditswatchrc --use-cpan-file-tail --script-dir=/opt/zimbra/data/tmp --tail-file /opt/zimbra/log/aud>
           └─123263 /usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.123247

Dec 13 17:54:09 systemd[1]: zmauditswatch.service: Succeeded.
Dec 13 17:54:09 systemd[1]: Stopped Zimbra Collaboration Suite Zmauditswatch.
Dec 13 17:54:09 systemd[1]: Starting Zimbra Collaboration Suite Zmauditswatch...
Dec 13 17:54:10 systemd[1]: Started Zimbra Collaboration Suite Zmauditswatch.

Submitted by: Heera Singh Koranga
Verified Against: ZCS 8.7,8.8,9.0 Date Created: 2020-12-13
Article ID: Date Modified: 2020-12-13

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search