Results 1 to 3 of 3

Thread: Best Practices Question

  1. #1
    Join Date
    Jul 2007
    St. Louis, MO
    Rep Power

    Default Best Practices Question

    From an earlier thread today I learned that someone, somewhere, is maliciously attempting to access my mail server. From the audit.log (thanks to jholder) I learned the IP Address of the individual and found that there were well over 100 attempts to access the mail server via pop3 - the individual had tried multiple accounts, locking all of them.

    From a best practices, or from a security point-of-view, does any one here monitor this sort of activity on their Zimbra installs and block IPs as needed?

    For instance, I was considering crafting a short shell script, I.e.:

    cat /opt/zimbra/log/audit.log | grep "authentication failed" | mail -s "Authentication Failures"

    Then creating a crontab entry to run this nightly. From the report I could continue to block IPs via IPTables as needed. Obviously I would only look to block IPs which I recognize as not a customer and that attempted to log into multiple accounts, multiple times.

    Any better suggestions? Or thoughts against doing such an activity?

    I was just wanting to solicite ideas or feedback.


  2. #2
    Join Date
    May 2006
    Rep Power


    Be sure your timing is right, as audit.log logrotates (adds a datestamp)
    -else you could be just scanning an almost empty/fresh logfile each time

  3. #3
    Join Date
    Feb 2007
    Rep Power


    Also, keep in mind that a lot of the IPs that you are blocking are most likely dynamic and will change regularly. Be careful not to block out of your customer base's IP Pool.


Similar Threads

  1. Hot backup question on open source?
    By cfigurelli in forum Administrators
    Replies: 7
    Last Post: 10-09-2008, 01:43 AM
  2. Replies: 7
    Last Post: 06-08-2008, 01:54 PM
  3. Question Marks Appear In Mail
    By godzilla8nj in forum Users
    Replies: 5
    Last Post: 09-05-2007, 08:35 AM
  4. Multiple Domains Question
    By kristiaan_d in forum Administrators
    Replies: 2
    Last Post: 03-14-2007, 04:38 AM
  5. Certificate Question - Best practices
    By shankwc in forum Administrators
    Replies: 1
    Last Post: 03-04-2006, 10:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts