ZCS Administrator's Guide Network Edition 6.0.8
Table of Contents Previous Next Index


Monitoring Zimbra Servers : Monitoring Authentication Failures
Monitoring Authentication Failures
To guard against simple password harvest attacks, a ZCS account authentication password policy can be configured to insure strong passwords and a failed login policy can be set to lockout accounts that fail to log in after the maximum number of attempts.These policies protect against targeted account attacks, but do not provide visibility into dictionary and distributed based attacks.
The zmauditwatch script attempts to detect these more advanced attacks by looking at where the authentication failures are coming from and how frequently they are happening for all accounts on a Zimbra mailbox server and sends an email alert to the administrator’s mailbox.
The types of authentication failures checked include:
IP/Account hash check. The default is to send an email alert if 10 authenticating failures from an IP/account combination occur within a 60 second window.
Account check. The default is to send an email alert if 15 authentication failures from any IP address occur within a 60 second window. This check attempts to detect a distributed hijack based attack on a single account.
IP check. The default is to send an email alert if 20 authentication failures to any account occur within a 60 second window. This check attempts to detect a single host based attack across multiple accounts.
Total authentication failure check. The default is to send an email alert if 1000 auth failures from any IP address to any account occurs within 60 seconds. The default should be modified to be 1% of the active accounts on the mailbox server.
The default values that trigger an email alert are changed in the following zmlocalconfig parameters:
IP/Account value, change zimbra_swatch_ipacct_threshold
Account check, change zimbra_swatch_acct_threshold
IP check, change zimbra_swatch_ip_threshold
Total authentication failure check, change zimbra_swatch_total_threshold
Configure zimbra_swatch_notice_user with the email address that should receive the alerts.
Monitoring Zimbra Servers : Monitoring Authentication Failures

Table of Contents Previous Next Index
ZCS Administrator's Guide Network Edition 6.0.8
Copyright © 2010 Zimbra Inc.