Results 1 to 5 of 5

Thread: compromised accounts issue

  1. #1
    padraig's Avatar
    padraig is offline Elite Member
    Join Date
    Jul 2006
    Location
    ireland
    Posts
    388
    Rep Power
    9

    Question compromised accounts issue

    We have had a number of user accounts compromised - due mainly to users clicking on SPAM links -

    Is it possible to create an alert script, to tell us if a user account sent more than a specific (large) amount of e-mails in a set time frame (say 1~2hrs)
    this could act as an early warning that a user account has been compromised.
    Thanks For any replies,
    p.

  2. #2
    xaqar is offline Member
    Join Date
    Aug 2010
    Posts
    11
    Rep Power
    4

    Default

    We use postfwd running on another server.
    postfwd - postfix firewall daemon
    We have it set up to count messages sent from each account, and it blocks sending if it reaches a threshold. I also have it scripted to send me hourly reports of top senders, which are periodically checked for anomalies. Glad to hear (or sorry to hear) that someone else has the same problem from their users.

  3. #3
    vadonka is offline Active Member
    Join Date
    Nov 2011
    Location
    Hungary
    Posts
    30
    Rep Power
    3

    Default

    CBpolicyd integrated with zimbra, you only need a few steps to activate, it can be configurable from a web interface.
    http://forums.zextras.com/zimbra-howto/22-[howto]-enabling-cbpolicyd-zimbra-7-1-1-a.html

  4. #4
    pyperdown is offline Active Member
    Join Date
    Dec 2005
    Posts
    31
    Rep Power
    9

    Default

    This is a bit brute force, but it works. I have it set to run every 5 minutes in a cron job. If an account authenticates more than 5 times in a minute, the account is locked and an email sent to the admin. I'm a bit irritated with users who blithely go clicking on whatever and don't pay attention.

    UPDATE: I added a pipe through sed to remove multiple spaces from the log entries as it was throwing off the awk column numbers, as well as only modifying active accounts.


    #!/bin/bash
    # checks log file and gets a count of authentications sent per minute, per user
    # and if the count exceeds the maxmails value the user's account is locked.

    logfile="/var/log/zimbra.log"
    maxmails="10"
    mydomain="example.com"
    support="techsupport@$mydomain"
    accounts="/tmp/active_accounts"

    su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts

    zgrep -i "auth ok" $logfile | sed 's/ / /g' | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -n | \
    while read line
    do
    count=`echo ${line} | cut -d' ' -f 1`
    userid=`echo ${line} | cut -d' ' -f 3`
    timestamp=`echo ${line} | cut -d' ' -f 2`
    active=`grep "$userid@$mydomain" $accounts`

    if [ "$count" -gt "$maxmails" ] && [ "$active" == "$userid@$mydomain" ]; then
    echo "Maximum email rate exceeded, $userid@$mydomain will be locked"
    su zimbra -c "/opt/zimbra/bin/zmprov ma $userid@$mydomain zimbraAccountStatus locked"
    subject="$userid account locked due to excessive connections"
    # Email text/message
    message="/tmp/emailmessage.txt"
    echo "$userid account has been locked as there were $count connections made at"> $message
    echo "$timestamp. Please have the user change their password, and check for phishing" >>$message
    echo "emails if possible." >>$message
    # send an email using /bin/mail
    /usr/bin/mail -s "$subject" "$support" < $message
    rm -f $message

    #update list of active accounts
    su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
    fi
    done

    rm -f $accounts

    Last edited by pyperdown; 07-10-2013 at 11:39 AM.

  5. #5
    drwho18 is offline Senior Member
    Join Date
    May 2007
    Posts
    63
    Rep Power
    8

    Default

    Quote Originally Posted by pyperdown View Post
    This is a bit brute force, but it works. I have it set to run every 5 minutes in a cron job. If an account authenticates more than 5 times in a minute, the account is locked and an email sent to the admin. I'm a bit irritated with users who blithely go clicking on whatever and don't pay attention.

    UPDATE: I added a pipe through sed to remove multiple spaces from the log entries as it was throwing off the awk column numbers, as well as only modifying active accounts.


    #!/bin/bash
    # checks log file and gets a count of authentications sent per minute, per user
    # and if the count exceeds the maxmails value the user's account is locked.

    logfile="/var/log/zimbra.log"
    maxmails="10"
    mydomain="example.com"
    support="techsupport@$mydomain"
    accounts="/tmp/active_accounts"

    su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts

    zgrep -i "auth ok" $logfile | sed 's/ / /g' | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -n | \
    while read line
    do
    count=`echo ${line} | cut -d' ' -f 1`
    userid=`echo ${line} | cut -d' ' -f 3`
    timestamp=`echo ${line} | cut -d' ' -f 2`
    active=`grep "$userid@$mydomain" $accounts`

    if [ "$count" -gt "$maxmails" ] && [ "$active" == "$userid@$mydomain" ]; then
    echo "Maximum email rate exceeded, $userid@$mydomain will be locked"
    su zimbra -c "/opt/zimbra/bin/zmprov ma $userid@$mydomain zimbraAccountStatus locked"
    subject="$userid account locked due to excessive connections"
    # Email text/message
    message="/tmp/emailmessage.txt"
    echo "$userid account has been locked as there were $count connections made at"> $message
    echo "$timestamp. Please have the user change their password, and check for phishing" >>$message
    echo "emails if possible." >>$message
    # send an email using /bin/mail
    /usr/bin/mail -s "$subject" "$support" < $message
    rm -f $message

    #update list of active accounts
    su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
    fi
    done

    rm -f $accounts

    Something isn't working right with this script on my box, what should line look like after the zgrep.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Need help with tracking down compromised account(s)
    By r3zon8 in forum Administrators
    Replies: 9
    Last Post: 07-16-2011, 04:10 PM
  2. Accounts compromised - changed forwarding
    By blueflametuna in forum Administrators
    Replies: 10
    Last Post: 02-08-2011, 02:21 PM
  3. Help with compromised server
    By amnesia in forum Administrators
    Replies: 5
    Last Post: 01-27-2011, 07:38 AM
  4. Zimbra Server compromised
    By sem in forum Administrators
    Replies: 9
    Last Post: 07-22-2010, 11:53 AM
  5. Help with compromised accounts
    By Userx in forum Zimbra in Education
    Replies: 10
    Last Post: 05-03-2009, 12:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •