Results 1 to 3 of 3

Thread: Best Practices Question

  1. #1
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    8

    Default Best Practices Question

    From an earlier thread today I learned that someone, somewhere, is maliciously attempting to access my mail server. From the audit.log (thanks to jholder) I learned the IP Address of the individual and found that there were well over 100 attempts to access the mail server via pop3 - the individual had tried multiple accounts, locking all of them.

    From a best practices, or from a security point-of-view, does any one here monitor this sort of activity on their Zimbra installs and block IPs as needed?

    For instance, I was considering crafting a short shell script, I.e.:

    cat /opt/zimbra/log/audit.log | grep "authentication failed" | mail -s "Authentication Failures" my.email@address.com

    Then creating a crontab entry to run this nightly. From the report I could continue to block IPs via IPTables as needed. Obviously I would only look to block IPs which I recognize as not a customer and that attempted to log into multiple accounts, multiple times.

    Any better suggestions? Or thoughts against doing such an activity?

    I was just wanting to solicite ideas or feedback.

    Thanks,
    -Marc

  2. #2
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Be sure your timing is right, as audit.log logrotates (adds a datestamp)
    -else you could be just scanning an almost empty/fresh logfile each time

  3. #3
    Join Date
    Feb 2007
    Location
    Massachusetts
    Posts
    136
    Rep Power
    8

    Default

    Also, keep in mind that a lot of the IPs that you are blocking are most likely dynamic and will change regularly. Be careful not to block out of your customer base's IP Pool.

    -Nutz

Similar Threads

  1. Hot backup question on open source?
    By cfigurelli in forum Administrators
    Replies: 7
    Last Post: 10-09-2008, 01:43 AM
  2. Replies: 7
    Last Post: 06-08-2008, 01:54 PM
  3. Question Marks Appear In Mail
    By godzilla8nj in forum Users
    Replies: 5
    Last Post: 09-05-2007, 08:35 AM
  4. Multiple Domains Question
    By kristiaan_d in forum Administrators
    Replies: 2
    Last Post: 03-14-2007, 04:38 AM
  5. Certificate Question - Best practices
    By shankwc in forum Administrators
    Replies: 1
    Last Post: 03-04-2006, 10:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •