The command to quickly compile and show the top 10 IP addresses where the hacking is origin from, so that you can quickly input these IP addresses into your firewall to block them to locking your users up:
Code: Select all
cat /var/log/zimbra.log | grep "authentication failure" | cut -d ' ' -f 7 | sort | uniq -c | sort -nr | head
zmauditswatch is not useful as it doesn't reveal the source of hacking for me to be able to block them in my firewall. The IP address it shows is always my internal Zimbra IP address instead of the hacker IP address.
The hacker IP address is actually logged in zimbra.log. Thus, I hope Zimbra development team can improve on zmauditswatch by retrieving the right information from zimbra.log instead of looking at the wrong place from mailbox.log.