Hi,
I have a ZCS, version 8.6 installed, running on Ubuntu 14.04.
I've enabled zmauditswatch. Now, I'm seeing with some frequency (about once every 2 to 3 weeks) one random IP address making brute force attacks against most of our emails addresses. Example:
Account failure threshold exceeded: 208.105.66.150 pamela@<my-domain>
IP failure threshold exceeded: 208.105.66.150 exceeded threshold on failure for pamela@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 paula@<my-domain>
Account failure threshold exceeded: 208.105.66.150 paula@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 patricia@<my-domain>
Account failure threshold exceeded: 208.105.66.150 patricia@<my-domain>
IP failure threshold exceeded: 208.105.66.150 exceeded threshold on failure for patricia@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 rachel@<my-domain>
Account failure threshold exceeded: 208.105.66.150 rachel@<my-domain>
IP failure threshold exceeded: 208.105.66.150 exceeded threshold on failure for rosa@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 rosa@<my-domain>
Account failure threshold exceeded: 208.105.66.150 rosa@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 roberto@<my-domain>
Account failure threshold exceeded: 208.105.66.150 roberto@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 sandra@<my-domain>
Account failure threshold exceeded: 208.105.66.150 sandra@<my-domain>
IP:Acct failure threshold exceeded: 208.105.66.150 security@<my-domain>
Account failure threshold exceeded: 208.105.66.150 security@<my-domain>
This comes usually from one single address, during about 30-45 minutes. Is there a way to completely block one IP address that behaves like this?
Thanks,
Roberto
How to block a brute force attack?
How to block a brute force attack?
Do you have a firewall and/or IDS in front of your ZCS server? Have you considered cbpolicyd?