From an earlier thread today I learned that someone, somewhere, is maliciously attempting to access my mail server. From the audit.log (thanks to jholder) I learned the IP Address of the individual and found that there were well over 100 attempts to access the mail server via pop3 - the individual had tried multiple accounts, locking all of them.

From a best practices, or from a security point-of-view, does any one here monitor this sort of activity on their Zimbra installs and block IPs as needed?

For instance, I was considering crafting a short shell script, I.e.:

cat /opt/zimbra/log/audit.log | grep "authentication failed" | mail -s "Authentication Failures"

Then creating a crontab entry to run this nightly. From the report I could continue to block IPs via IPTables as needed. Obviously I would only look to block IPs which I recognize as not a customer and that attempted to log into multiple accounts, multiple times.

Any better suggestions? Or thoughts against doing such an activity?

I was just wanting to solicite ideas or feedback.