Best Practices Question
From an earlier thread today I learned that someone, somewhere, is maliciously attempting to access my mail server. From the audit.log (thanks to jholder) I learned the IP Address of the individual and found that there were well over 100 attempts to access the mail server via pop3 - the individual had tried multiple accounts, locking all of them.
From a best practices, or from a security point-of-view, does any one here monitor this sort of activity on their Zimbra installs and block IPs as needed?
For instance, I was considering crafting a short shell script, I.e.:
cat /opt/zimbra/log/audit.log | grep "authentication failed" | mail -s "Authentication Failures" firstname.lastname@example.org
Then creating a crontab entry to run this nightly. From the report I could continue to block IPs via IPTables as needed. Obviously I would only look to block IPs which I recognize as not a customer and that attempted to log into multiple accounts, multiple times.
Any better suggestions? Or thoughts against doing such an activity?
I was just wanting to solicite ideas or feedback.
Be sure your timing is right, as audit.log logrotates (adds a datestamp)
-else you could be just scanning an almost empty/fresh logfile each time :p
Also, keep in mind that a lot of the IPs that you are blocking are most likely dynamic and will change regularly. Be careful not to block out of your customer base's IP Pool.