Solution to replace the useless zmauditswatch
Posted: Fri Mar 10, 2017 4:12 am
I have found a workable solution to the problem with zmauditswatch mentioned here: viewtopic.php?f=15&t=59899&p=268994&hil ... ch#p268994. Thanks to Amit Kumar Singh from Zimbra Support for his guidance in getting this up!
The command to quickly compile and show the top 10 IP addresses where the hacking is origin from, so that you can quickly input these IP addresses into your firewall to block them to locking your users up:
zmauditswatch is not useful as it doesn't reveal the source of hacking for me to be able to block them in my firewall. The IP address it shows is always my internal Zimbra IP address instead of the hacker IP address.
The hacker IP address is actually logged in zimbra.log. Thus, I hope Zimbra development team can improve on zmauditswatch by retrieving the right information from zimbra.log instead of looking at the wrong place from mailbox.log.
The command to quickly compile and show the top 10 IP addresses where the hacking is origin from, so that you can quickly input these IP addresses into your firewall to block them to locking your users up:
Code: Select all
cat /var/log/zimbra.log | grep "authentication failure" | cut -d ' ' -f 7 | sort | uniq -c | sort -nr | head
The hacker IP address is actually logged in zimbra.log. Thus, I hope Zimbra development team can improve on zmauditswatch by retrieving the right information from zimbra.log instead of looking at the wrong place from mailbox.log.