Account blocking. Find the cause?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
christianrj
Posts: 34
Joined: Sat Sep 13, 2014 3:18 am

Account blocking. Find the cause?

Post by christianrj »

Hello!

Our Zimbra Server (8.6.0) has the "Failed login policy" enabled.

Our settings are:

Code: Select all

Number of consecutive failed logins allowed: 5
Time to lockout the account: 1 hour
Time window in which the failed logins must occur to lock the account: 10 minutes
The problem is that we have some specific accounts blocked constantly (daily and in some cases hourly).

My question is someone know a way I can track the real cause of the block? For example, if the user failed the login from a smartphone, or a program like Outlook, or from the web client?

I really want to investigate these constantly blocking accounts. People are very annoyed about these blockings.

Thank you!
User avatar
stefaniu.criste
Posts: 41
Joined: Wed Feb 12, 2014 5:40 am
Location: Romania
ZCS/ZD Version: 8.8.8_GA_1728 20180614052922 201806
Contact:

Re: Account blocking. Find the cause?

Post by stefaniu.criste »

We have the same issue for some "well-known" accounts.
In our case, the blocking is caused by bots trying to brute-force the access onto the server, leading to account locking.

Solution is to have a smaller duration of lockout (10 minutes) and log monitoring, then blocking the offending IPs in the firewall.


// Note: this is not a solution for distributed attacks, I know .
Stefaniu Criste - managing partner
Hangar Hosting - a safe place for your business
proudly delivering Zimbra services in Romania
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: Account blocking. Find the cause?

Post by DualBoot »

Fail2ban could be a solution on the front server.
User avatar
stefaniu.criste
Posts: 41
Joined: Wed Feb 12, 2014 5:40 am
Location: Romania
ZCS/ZD Version: 8.8.8_GA_1728 20180614052922 201806
Contact:

Re: Account blocking. Find the cause?

Post by stefaniu.criste »

DualBoot wrote:Fail2ban could be a solution on the front server.
Either fail2ban or csf are good, yet I have observed a high number of distributed attacks, with very few authentication attempts (two or three) per each IP. In this case is no much thing that fai2ban/csf can do.
Stefaniu Criste - managing partner
Hangar Hosting - a safe place for your business
proudly delivering Zimbra services in Romania
Post Reply