Our Zimbra server has an average of about 10-20k of authentication failure attempts everyday, trying to login to our accounts by guessing their passwords with bots. As we have difficulty upgrading our Ubuntu from version 10 to 12 due to unauthenticated packages found error, we are unable to enjoy the two factor authentication feature.
We have tried many methods to manage these. Zmauditswatch is helping because it email alert to us whenever there is such attempts detected. Unfortunately, it only reveal our Zimbra IP address instead of the source IP. I have to manually download the zimbra.log where the source IPs are located, and retrieve the source IP to block it on our firewall. This is time consuming.
1. Is there a better way to block source IP that has too many failed login attempt?
2. How can we configure Zmauditswatch to show the source IP instead of our Zimbra IP?
3. Has anyone done a script to automatically retrieve the source IPs from the Zimbra log?
4. Or is there any 3rd party log collection software such as Splunk etc, that can automate this?
We have also deploy lockout feature when the accounts will get lockout once there is more than 5 failed attempt, so that these bots do not get to keep trying too many passwords to crack in. However, this cause inconvenient to the users as we have to keep unlock the accounts for them as well. Not to mention time consuming for us as well.
I hope there is better workaround, else we may seriously considering migrating out to Office 365 Exchange or Google Mail to save up our manhours to handle other IT tasks on hands.
How to manage huge amount of Authentication Failure?
-
- Elite member
- Posts: 1096
- Joined: Sat Sep 13, 2014 12:47 am
Re: How to manage huge amount of Authentication Failure?
You can use fail2ban to monitor the log files and automatically block offending IP addresses.
Re: How to manage huge amount of Authentication Failure?
Check these postings:
viewtopic.php?f=15&t=58963
viewtopic.php?f=15&t=58967
This might be helpful also:
viewtopic.php?f=15&t=58853
viewtopic.php?f=15&t=58963
viewtopic.php?f=15&t=58967
This might be helpful also:
viewtopic.php?f=15&t=58853
Re: How to manage huge amount of Authentication Failure?
I have a workable solution here: viewtopic.php?f=15&t=61542
-
- Advanced member
- Posts: 52
- Joined: Sat Sep 13, 2014 1:36 am
Re: How to manage huge amount of Authentication Failure?
That would work only if the attacker use the same ip but it does not work when every minute it comes from a new ip without repeating it self.liverpoolfcfan wrote:You can use fail2ban to monitor the log files and automatically block offending IP addresses.
How would you block something you do not know where will come from?
I have been thinking how by firewall stop any auth on unclear smt ports. But until now i am on develop of that solution, and closing the gap to locally auth.