ZCS Administrator Guide 8.0

Open Source Edition

Monitoring Authentication Failures

To protect against dictionary-based and distributed attacks, you can configure the zmauditwatch. The script attempts to detect more advanced attacks by looking at where the authentication failures are coming from and how frequently they are happening for all accounts on a Zimbra mailbox server and sends an email alert to the administrator’s mailbox.

The types of authentication failures checked include:

IP/Account hash check. The default is to send an email alert if 10 authenticating failures from an IP/account combination occur within a 60 second window.

Account check. The default is to send an email alert if 15 authentication failures from any IP address occur within a 60 second window. This check attempts to detect a distributed hijack based attack on a single account.

IP check. The default is to send an email alert if 20 authentication failures to any account occur within a 60 second window. This check attempts to detect a single host based attack across multiple accounts.

Total authentication failure check. The default is to send an email alert if 1000 auth failures from any IP address to any account occurs within 60 seconds. The default should be modified to be 1% of the active accounts on the mailbox server.

The default values that trigger an email alert are changed in the following zmlocalconfig parameters:

IP/Account value, change zimbra_swatch_ipacct_threshold

Account check, change zimbra_swatch_acct_threshold

IP check, change zimbra_swatch_ip_threshold

Total authentication failure check, change zimbra_swatch_total_threshold

Configure zimbra_swatch_notice_user with the email address that should receive the alerts.