The script ships with 4 authentication failure checks.
- IP/Account hash check which warns on 10 auth failures from
an ip/account combo within a 60 second window.
- Account check which warns on 15 auth failures from any ip
within a 60 second window. Attempts to detect a distributed
hijack based attack on a single account.
- IP check which warns on 20 auth failures to any account
within a 60 second windows. Attempts to detect a single host
based attack across multiple accounts.
- Total auth failure check which warns on 1000 auth failures
from any ip to any account within 60 seconds. The recommended
value on this is guestimated at 1% of active accounts for the MBS.
Edit file /opt/zimbra/conf/auditswatchrc.in or All values can be
tuned via zmlocalconfig parameters.
zimbra_swatch_ipacct_threshold=10 (max failures for an IP & account pair)
zimbra_swatch_acct_threshold=15 (max failures for an account)
zimbra_swatch_ip_threshold=20(max failures for a specific IP)
zimbra_swatch_total_threshold=60(all failures max trigger count)
zimbra_swatch_threshold_seconds=60(the duration window it has to happen in)
zmlocalconfig -e firstname.lastname@example.org
Sau khi chỉnh sửa :
su - zimbra