I am running 8.8.15_GA_4018.FOSS.
Server has been under constant attack by bots over the past few days, trying to brute force user logins. I've been using ZCS for many years and have had the failed login lockout option enabled, but it's become highly annoying to the users during this time, as many of the accounts are getting regularly locked out by the bots. In searching for a better solution, I noticed this wiki page: https://wiki.zimbra.com/wiki/DoSFilter, covering the new DoSFilter.
I'd like to use this feature to block IPs on failed login rather than lock the account, but I'm wondering how to check if it is actually working. I checked all of the configuration options shown on the wiki, but I don't see any global enable/disable option. Looking at my iptables, I don't see any particular chain it is adding entries to. Is this some type of internal blocking mechanism? Is there a way to view currently blocked IPs?
How to check DoSFilter
- axslingr
- Outstanding Member
- Posts: 256
- Joined: Sat Sep 13, 2014 2:20 am
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18
Re: How to check DoSFilter
Check out the last section of this page on how to view blocked IPs.
https://www.missioncriticalemail.com/20 ... -together/
https://www.missioncriticalemail.com/20 ... -together/
-
- Advanced member
- Posts: 85
- Joined: Sat Sep 13, 2014 1:09 am
- ZCS/ZD Version: 8.8.15.GA.4179.UBUNTU20.64
Re: How to check DoSFilter
Thanks for this. I am seeing plenty of "authentication failed" log entries, but I am not seeing any entries containing "suspended", so I'm concerned this is not working as intended.
I'll try and setup a test myself and see if I can trigger it.
I'll try and setup a test myself and see if I can trigger it.