Scribd Logo
Upload

Welcome to Scribd!

  • Monitoring Authentication Failures

    Uploaded by

    reymundedra
    53 views2 pages
    The zmauditwatch script attempts to detect dictionary and distributed based attacks. It looks at where the authentication failures are coming from and how frequently they are happening for all accounts on a mailbox server. The default values that trigger an email alert are changed in the following zmlocalconfig parameters: ip / account value, change zimbra_swatch_ipacct_threshold account check, change zmswatch_acct_ip_thread account check,

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The zmauditwatch script attempts to detect dictionary and distributed based attacks. It looks at where the authentication failures are coming from and how frequently they are happening for all accounts on a mailbox server. The default values that trigger an email alert are changed in the following zmlocalconfig parameters: ip / account value, change zimbra_swatch_ipacct_threshold account check, change zmswatch_acct_ip_thread account check,

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    53 views2 pages

    Monitoring Authentication Failures

    Uploaded by

    reymundedra
    The zmauditwatch script attempts to detect dictionary and distributed based attacks. It looks at where the authentication failures are coming from and how frequently they are happening for all accounts on a mailbox server. The default values that trigger an email alert are changed in the following zmlocalconfig parameters: ip / account value, change zimbra_swatch_ipacct_threshold account check, change zmswatch_acct_ip_thread account check,

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    9/12/2014 Monitoring Authentication Failures

    http://www.zimbra.com/docs/os/6.0.6/administration_guide/9_Monitoring.12.07.html#1089054 1/2
    ZCS Administration Guide, Open Source Edition, 6.0.6 March 2010
    Monitoring Zimbra Servers : Monitoring Authentication Failures
    To guard against simple password harvest attacks, a ZCS account
    authentication password policy can be configured to insure strong
    passwords and a failed login policy can be set to lockout accounts that
    fail to log in after the maximum number of attempts.These policies
    protect against targeted account attacks, but do not provide visibility
    into dictionary and distributed based attacks.
    The zmauditwatch script attempts to detect these more advanced
    attacks by looking at where the authentication failures are coming from
    and how frequently they are happening for all accounts on a Zimbra
    mailbox server and sends an email alert to the administrators mailbox.
    The types of authentication failures checked include:
    IP/Account hash check. The default is to send an email alert if 10
    authenticating failures from an IP/account combination occur within
    a 60 second window.
    Account check. The default is to send an email alert if 15
    authentication failures from any IP address occur within a 60 second
    window. This check attempts to detect a distributed hijack based
    attack on a single account.
    IP check. The default is to send an email alert if 20 authentication
    failures to any account occur within a 60 second window. This check
    attempts to detect a single host based attack across multiple
    accounts.
    Total authentication failure check. The default is to send an email alert if
    1000 auth failures from any IP address to any account occurs within
    60 seconds. The default should be modified to be 1% of the active
    accounts on the mailbox server.
    The default values that trigger an email alert are changed in the
    following zmlocalconfig parameters:
    IP/Account value, change zimbra_swatch_ipacct_threshold
    Account check, change zimbra_swatch_acct_threshold
    IP check, change zimbra_swatch_ip_threshold
    Total authentication failure check, change
    zimbra_swatch_total_threshold
    Configure zimbra_swatch_notice_user with the email address that should
    receive the alerts.
    Monitoring Authentication Failures
    9/12/2014 Monitoring Authentication Failures
    http://www.zimbra.com/docs/os/6.0.6/administration_guide/9_Monitoring.12.07.html#1089054 2/2
    ZCS Administration Guide, Open Source Edition, 6.0.6 March 2010
    Monitoring Zimbra Servers : Monitoring Authentication Failures
    Copyright
    2010
    Zimbra Inc.

    You might also like