Tuesday, March 9, 2010

Add alert when account locked

The script ships with 4 authentication failure checks.
- IP/Account hash check which warns on 10 auth failures from
an ip/account combo within a 60 second window.
- Account check which warns on 15 auth failures from any ip
within a 60 second window. Attempts to detect a distributed
hijack based attack on a single account.
- IP check which warns on 20 auth failures to any account
within a 60 second windows. Attempts to detect a single host
based attack across multiple accounts.
- Total auth failure check which warns on 1000 auth failures
from any ip to any account within 60 seconds. The recommended
value on this is guestimated at 1% of active accounts for the MBS.

Edit file /opt/zimbra/conf/auditswatchrc.in or All values can be
tuned via zmlocalconfig parameters.

zimbra_swatch_ipacct_threshold=10 (max failures for an IP & account pair)
zimbra_swatch_acct_threshold=15 (max failures for an account)
zimbra_swatch_ip_threshold=20(max failures for a specific IP)
zimbra_swatch_total_threshold=60(all failures max trigger count)
zimbra_swatch_threshold_seconds=60(the duration window it has to happen in)

zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com
/opt/zimbra/bin/zmauditswatchctl start

Sau khi chỉnh sửa :
su - zimbra
postfix reload

No comments:

Post a Comment