Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Add alert when account locked

  1. #1
    snake_eyes's Avatar
    snake_eyes is offline Advanced Member
    Join Date
    Nov 2008
    Posts
    237
    Rep Power
    6

    Default Add alert when account locked

    Hello,

    I set my COS "password area" to lock the account after three times failure, is it possible to add alert to the admin when the account locked, and how do I change the default text from the webmail client because when the client trying to login but the message is not cleared appearing.

    There is no different between the wrong password and when the account locked "The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password. "

    Cheers,

  2. #2
    tonster is offline Zimbra Employee
    Join Date
    Dec 2007
    Location
    Ypsilanti, MI
    Posts
    142
    Rep Power
    7

    Default

    Quote Originally Posted by snake_eyes View Post
    Hello,

    I set my COS "password area" to lock the account after three times failure, is it possible to add alert to the admin when the account locked, and how do I change the default text from the webmail client because when the client trying to login but the message is not cleared appearing.

    There is no different between the wrong password and when the account locked "The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password. "

    Cheers,
    There's currently no way to modify this text. I'd suggest posting an RFE at Bugzilla Main Page to have that added in a future version of ZCS.

  3. #3
    snake_eyes's Avatar
    snake_eyes is offline Advanced Member
    Join Date
    Nov 2008
    Posts
    237
    Rep Power
    6

  4. #4
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    20

    Default

    BTW GnR has Bug 32586 - script to watch for auth failures

    zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com
    /opt/zimbra/bin/zmauditswatchctl start

    Then you can configure what you want to check for in /opt/zimbra/conf/auditswatchrc & it's .in file (and reload) or via these easy localconfig attributes:

    zimbra_swatch_ipacct_threshold=10 (max failures for an IP & account pair)
    zimbra_swatch_acct_threshold=15 (max failures for an account)
    zimbra_swatch_ip_threshold=20 (max failures for a specific IP)
    zimbra_swatch_total_threshold=60 (all failures max trigger count)
    zimbra_swatch_threshold_seconds=60 (the duration window it has to happen in)
    So you could use that with thresholds set equal to your auto-lock limit of 3 & timeframe of x.

    ---

    We currently use the same message on purpose, as it's a security risk to state if the username is correct in auth failures.

    ie: If you displayed "username invalid" vs "password invalid" a malicious individual now knows where to focus their access efforts on. Same reason we don't list how long till the lockout expires.

    If you want to modify your own:
    /opt/zimbra/mailboxd/webapps/zimbra/WEB-INF/messages/ZmMsg.properties (or respective language) & modify loginError =

    Though you could certainly make this into an "optionally display lockout info/auth failure reason" RFE (or 2nd).
    Such as requesting a loginErrorReason string configured/toggeled by an zimbraExposeAuthFailureReason TRUE/FALSE attribute.


    (Taking the same principle as we do for zimbraSoapExposeVersion, zimbra[Lmtp, Pop3, Imap]ExposeVersionOnBanner, & zimbraReverseProxy[Imap/Pop3]ExposeVersionOnBanner.)

    So you'd have:
    loginError = The username or password is incorrect. Verify that CAPS LOCK is not on, and then retype the current username and password. \
    loginErrorReason = You have attempted login more than {zimbraPasswordLockoutMaxFailures} times in {zimbraPasswordLockoutFailureLifetime} please wait {zimbraPassowrdLockoutDuration} before attempting again as your account is in temporary lockout. \
    If this message persists please contact the IT helpdesk via phone/ticket portal.
    Note we don't apply the failures limit to external auth, as that third party system should be enforcing the lock out.

    Your Bug 36073 - Add notification to the addmin when account is locked. is very similar to Bug 23625 - Account Lockout Option.
    Last edited by mmorse; 03-11-2009 at 09:07 PM.

  5. #5
    snake_eyes's Avatar
    snake_eyes is offline Advanced Member
    Join Date
    Nov 2008
    Posts
    237
    Rep Power
    6

    Default

    1. In regard to the notification when the account has locked, I ran the follwoing steps.

    $ sudo pico /opt/zimbra/conf/auditswatchrc.in
    add this parameter zimbra_swatch_acct_threshold=3
    $ sudu su zimbra
    $ zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com
    $ /opt/zimbra/bin/zmauditswatchctl start

    and I logged in with my user with wrong password 5 times.

    I. I didn't receive any alert message
    II. what's is the reverse command to zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com in order to remove the value of zimbra_swatch_notice_user

    2. In regard to the second question there is no messages directory inside WEB-INF of this path /opt/zimbra/mailboxd/webapps/zimbra/WEB-INF/messages/ZmMsg.properties

    Cheers,
    Last edited by snake_eyes; 03-12-2009 at 03:29 AM.

  6. #6
    Jay2k1 is offline Intermediate Member
    Join Date
    Jun 2009
    Location
    Hamburg, Germany
    Posts
    22
    Rep Power
    5

    Default

    Hello,

    I'm running a version where this binary is not yet included (zmauditswatchctl) so I'm looking for another way to do this. The only thing that comes to my mind is:
    1. running "zmprov gaa" into a file so I get all accounts
    2. running "zmprov ga <account> | grep zimbraAccountStatus" for every line in this file and look for "lockout"

    This, in a script, running every two minutes or so by a cronjob, and sending the results by mail, would be my idea. The downside: Running step 1 takes approx. 6 seconds, step 2 takes approx. 4 seconds (for one account, that is). We have about 95 accounts, so a single run of this script would take 6-7 minutes alone.

    Is there a better way to, perhaps, check all accounts for lockout with a single command?

    Regards, Jay

  7. #7
    tonster is offline Zimbra Employee
    Join Date
    Dec 2007
    Location
    Ypsilanti, MI
    Posts
    142
    Rep Power
    7

    Default

    Quote Originally Posted by Jay2k1 View Post
    Hello,

    I'm running a version where this binary is not yet included (zmauditswatchctl) so I'm looking for another way to do this. The only thing that comes to my mind is:
    1. running "zmprov gaa" into a file so I get all accounts
    2. running "zmprov ga <account> | grep zimbraAccountStatus" for every line in this file and look for "lockout"

    This, in a script, running every two minutes or so by a cronjob, and sending the results by mail, would be my idea. The downside: Running step 1 takes approx. 6 seconds, step 2 takes approx. 4 seconds (for one account, that is). We have about 95 accounts, so a single run of this script would take 6-7 minutes alone.

    Is there a better way to, perhaps, check all accounts for lockout with a single command?

    Regards, Jay
    It would probably be a good idea to upgrade to a later version of ZCS. There have been so many improvements since 5.0.9. However, if that's not an option, you should be able to limit the amount of time this takes by doing a batch zmprov command. Something like:
    Code:
    zmprov gaa > /tmp/accounts.txt
    for account in `cat /tmp/accounts.txt`
    do
    echo "ga $account zimbraAccountStatus" >> /tmp/zmprov.txt
    done
    
    zmprov < /tmp/zmprov.txt | grep -B1 locked
    this would produce output of something like this:
    Code:
    # name user@domain.com
    zimbraAccountStatus: locked
    for each account that is locked.

  8. #8
    Jay2k1 is offline Intermediate Member
    Join Date
    Jun 2009
    Location
    Hamburg, Germany
    Posts
    22
    Rep Power
    5

    Default

    Yay, thanks, that makes it 30 seconds per run

    I know I should seriously consider upgrading, but there are quite some versions between mine and the current, so I'm a bit afraid of doing the upgrade. I'll have to grab some spare server, install the same OS, patch it, then install the old ZCS, copy the zimbra dir from current server to that test server, and then perform the upgrade on it and see if all goes well. That's quite time consuming, someday in the future I will definitely do this (as we have some other issues as well which have been fixed in the meantime) but I won't do it in the next weeks I guess.
    Anyway, thank you for the code!

  9. #9
    vikjava is offline Intermediate Member
    Join Date
    Mar 2009
    Posts
    15
    Rep Power
    6

    Default

    Hi all !
    I set up same snake_eyes . But not ok ? Can you help me step by step.
    Thanks.

  10. #10
    onze's Avatar
    onze is offline Active Member
    Join Date
    Jan 2010
    Location
    PT
    Posts
    28
    Rep Power
    5

    Default

    Hello,
    When i run,

    zmauditswatchctl start
    /opt/zimbra/conf/auditswatchrc is missing.
    Starting auditswatch.../opt/zimbra/conf/auditswatchrc template not found.

    How can i fix it?

    Many thanks,

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra .pids / service monitoring
    By bin2hex in forum Administrators
    Replies: 24
    Last Post: 04-03-2010, 09:12 PM
  2. zmtlsctl command not completing successfully
    By relay23 in forum Administrators
    Replies: 21
    Last Post: 07-10-2008, 12:07 AM
  3. Unexpected shutdown
    By geoffDeGeoffGeoff in forum Installation
    Replies: 9
    Last Post: 04-15-2008, 08:40 PM
  4. No response from Jetty on clean 5.02 OS install
    By cniknet in forum Administrators
    Replies: 0
    Last Post: 02-16-2008, 12:17 PM
  5. Using Zimlet to add zimbra account
    By dzed in forum Zimlets
    Replies: 2
    Last Post: 05-05-2006, 02:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •