How to manage huge amount of Authentication Failure?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
bhwong
Advanced member
Advanced member
Posts: 151
Joined: Thu Feb 27, 2014 8:40 pm

How to manage huge amount of Authentication Failure?

Post by bhwong »

Our Zimbra server has an average of about 10-20k of authentication failure attempts everyday, trying to login to our accounts by guessing their passwords with bots. As we have difficulty upgrading our Ubuntu from version 10 to 12 due to unauthenticated packages found error, we are unable to enjoy the two factor authentication feature.

We have tried many methods to manage these. Zmauditswatch is helping because it email alert to us whenever there is such attempts detected. Unfortunately, it only reveal our Zimbra IP address instead of the source IP. I have to manually download the zimbra.log where the source IPs are located, and retrieve the source IP to block it on our firewall. This is time consuming.

1. Is there a better way to block source IP that has too many failed login attempt?
2. How can we configure Zmauditswatch to show the source IP instead of our Zimbra IP?
3. Has anyone done a script to automatically retrieve the source IPs from the Zimbra log?
4. Or is there any 3rd party log collection software such as Splunk etc, that can automate this?

We have also deploy lockout feature when the accounts will get lockout once there is more than 5 failed attempt, so that these bots do not get to keep trying too many passwords to crack in. However, this cause inconvenient to the users as we have to keep unlock the accounts for them as well. Not to mention time consuming for us as well.

I hope there is better workaround, else we may seriously considering migrating out to Office 365 Exchange or Google Mail to save up our manhours to handle other IT tasks on hands.
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Re: How to manage huge amount of Authentication Failure?

Post by liverpoolfcfan »

You can use fail2ban to monitor the log files and automatically block offending IP addresses.
User avatar
howanitz
Advanced member
Advanced member
Posts: 65
Joined: Mon Feb 01, 2016 9:27 am

Re: How to manage huge amount of Authentication Failure?

Post by howanitz »

Check these postings:

viewtopic.php?f=15&t=58963

viewtopic.php?f=15&t=58967

This might be helpful also:

viewtopic.php?f=15&t=58853
bhwong
Advanced member
Advanced member
Posts: 151
Joined: Thu Feb 27, 2014 8:40 pm

Re: How to manage huge amount of Authentication Failure?

Post by bhwong »

I have a workable solution here: viewtopic.php?f=15&t=61542
rojoblandino
Advanced member
Advanced member
Posts: 52
Joined: Sat Sep 13, 2014 1:36 am

Re: How to manage huge amount of Authentication Failure?

Post by rojoblandino »

liverpoolfcfan wrote:You can use fail2ban to monitor the log files and automatically block offending IP addresses.
That would work only if the attacker use the same ip but it does not work when every minute it comes from a new ip without repeating it self.

How would you block something you do not know where will come from?

I have been thinking how by firewall stop any auth on unclear smt ports. But until now i am on develop of that solution, and closing the gap to locally auth.
Post Reply