Add alert when account locked

[snake_eyes]

Hello,

I set my COS "password area" to lock the account after three times failure, is it possible to add alert to the admin when the account locked, and how do I change the default text from the webmail client because when the client trying to login but the message is not cleared appearing.

There is no different between the wrong password and when the account locked "The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password. "

Cheers,

[tonster]

Quote:

Originally Posted by snake_eyes

Hello,

I set my COS "password area" to lock the account after three times failure, is it possible to add alert to the admin when the account locked, and how do I change the default text from the webmail client because when the client trying to login but the message is not cleared appearing.

There is no different between the wrong password and when the account locked "The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password. "

Cheers,

There's currently no way to modify this text. I'd suggest posting an RFE at Bugzilla Main Page to have that added in a future version of ZCS.

[snake_eyes]

added succussfully!
Bug 36073 – Add notification to the addmin when account is locked.

Thank you

[mmorse]

BTW GnR has Bug 32586 - script to watch for auth failures

zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com
/opt/zimbra/bin/zmauditswatchctl start

Then you can configure what you want to check for in /opt/zimbra/conf/auditswatchrc & it's .in file (and reload) or via these easy localconfig attributes:

Quote:

zimbra_swatch_ipacct_threshold=10 (max failures for an IP & account pair)
zimbra_swatch_acct_threshold=15 (max failures for an account)
zimbra_swatch_ip_threshold=20 (max failures for a specific IP)
zimbra_swatch_total_threshold=60 (all failures max trigger count)
zimbra_swatch_threshold_seconds=60 (the duration window it has to happen in)

So you could use that with thresholds set equal to your auto-lock limit of 3 & timeframe of x.

---

We currently use the same message on purpose, as it's a security risk to state if the username is correct in auth failures.

ie: If you displayed "username invalid" vs "password invalid" a malicious individual now knows where to focus their access efforts on. Same reason we don't list how long till the lockout expires.

If you want to modify your own:
/opt/zimbra/mailboxd/webapps/zimbra/WEB-INF/messages/ZmMsg.properties (or respective language) & modify loginError =

Though you could certainly make this into an "optionally display lockout info/auth failure reason" RFE (or 2nd).
Such as requesting a loginErrorReason string configured/toggeled by an zimbraExposeAuthFailureReason TRUE/FALSE attribute.

(Taking the same principle as we do for zimbraSoapExposeVersion, zimbra[Lmtp, Pop3, Imap]ExposeVersionOnBanner, & zimbraReverseProxy[Imap/Pop3]ExposeVersionOnBanner.)

So you'd have:

Quote:

loginError = The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password. \
loginErrorReason = You have attempted login more than {zimbraPasswordLockoutMaxFailures} times in {zimbraPasswordLockoutFailureLifetime} please wait {zimbraPassowrdLockoutDuration} before attempting again as your account is in temporary lockout. \
If this message persists please contact the IT helpdesk via phone/ticket portal.

Note we don't apply the failures limit to external auth, as that third party system should be enforcing the lock out.

Your Bug 36073 - Add notification to the addmin when account is locked. is very similar to Bug 23625 - Account Lockout Option.

[snake_eyes]

1. In regard to the notification when the account has locked, I ran the follwoing steps.

$ sudo pico /opt/zimbra/conf/auditswatchrc.in
add this parameter zimbra_swatch_acct_threshold=3
$ sudu su zimbra
$ zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com
$ /opt/zimbra/bin/zmauditswatchctl start

and I logged in with my user with wrong password 5 times.

I. I didn't receive any alert message
II. what's is the reverse command to zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com in order to remove the value of zimbra_swatch_notice_user

2. In regard to the second question there is no messages directory inside WEB-INF of this path /opt/zimbra/mailboxd/webapps/zimbra/WEB-INF/messages/ZmMsg.properties

Cheers,

[Jay2k1]

Hello,

I'm running a version where this binary is not yet included (zmauditswatchctl) so I'm looking for another way to do this. The only thing that comes to my mind is:
1. running "zmprov gaa" into a file so I get all accounts
2. running "zmprov ga <account> | grep zimbraAccountStatus" for every line in this file and look for "lockout"

This, in a script, running every two minutes or so by a cronjob, and sending the results by mail, would be my idea. The downside: Running step 1 takes approx. 6 seconds, step 2 takes approx. 4 seconds (for one account, that is). We have about 95 accounts, so a single run of this script would take 6-7 minutes alone.

Is there a better way to, perhaps, check all accounts for lockout with a single command?

Regards, Jay

[tonster]

Quote:

Originally Posted by Jay2k1

Hello,

I'm running a version where this binary is not yet included (zmauditswatchctl) so I'm looking for another way to do this. The only thing that comes to my mind is:
1. running "zmprov gaa" into a file so I get all accounts
2. running "zmprov ga <account> | grep zimbraAccountStatus" for every line in this file and look for "lockout"

This, in a script, running every two minutes or so by a cronjob, and sending the results by mail, would be my idea. The downside: Running step 1 takes approx. 6 seconds, step 2 takes approx. 4 seconds (for one account, that is). We have about 95 accounts, so a single run of this script would take 6-7 minutes alone.

Is there a better way to, perhaps, check all accounts for lockout with a single command?

Regards, Jay

It would probably be a good idea to upgrade to a later version of ZCS. There have been so many improvements since 5.0.9. However, if that's not an option, you should be able to limit the amount of time this takes by doing a batch zmprov command. Something like:

Code:

zmprov gaa > /tmp/accounts.txt
for account in `cat /tmp/accounts.txt`
do
echo "ga $account zimbraAccountStatus" >> /tmp/zmprov.txt
done

zmprov < /tmp/zmprov.txt | grep -B1 locked

this would produce output of something like this:

Code:

# name user@domain.com
zimbraAccountStatus: locked

for each account that is locked.

[Jay2k1]

Yay, thanks, that makes it 30 seconds per run

I know I should seriously consider upgrading, but there are quite some versions between mine and the current, so I'm a bit afraid of doing the upgrade. I'll have to grab some spare server, install the same OS, patch it, then install the old ZCS, copy the zimbra dir from current server to that test server, and then perform the upgrade on it and see if all goes well. That's quite time consuming, someday in the future I will definitely do this (as we have some other issues as well which have been fixed in the meantime) but I won't do it in the next weeks I guess.
Anyway, thank you for the code!

[vikjava]

Hi all !
I set up same snake_eyes . But not ok ? Can you help me step by step.
Thanks.

[onze]

Hello,
When i run,

zmauditswatchctl start
/opt/zimbra/conf/auditswatchrc is missing.
Starting auditswatch.../opt/zimbra/conf/auditswatchrc template not found.

How can i fix it?

Many thanks,