How to protect accounts that frequently get locked out?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
bhwong
Advanced member
Advanced member
Posts: 151
Joined: Thu Feb 27, 2014 8:40 pm

How to protect accounts that frequently get locked out?

Postby bhwong » Mon May 25, 2015 2:58 am

We notice there are a few accounts that frequently get locked out due to multiple failed login attempt. We do not wish to remove the locked out function as this will give hackers more opportunity to attempt to guess the login password. Is there any better suggest to improve this?


I would like to take this opportunity to suggest some enhancements:


1. Add a 5 min delay after 3 failed login etc, instead of locking out an account.


2. Block the IP address that done too many failed login attempt unless it's trusted or internal IP.


3. Email alert when any of the above condition is met.


4. To have the origin IP in the Zimbra Admin Console to show source IP of the sender instead of completely useless info of 127.0.0.1 as origin ip for all email transactions


5. option to block IP, domain and email addresses in the MTA settings




phoenix
Ambassador
Ambassador
Posts: 26711
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

How to protect accounts that frequently get locked out?

Postby phoenix » Mon May 25, 2015 5:08 am

Suggestions for product enhancements go in bugzilla and not these forums, it is more likely to get the attention of the developers in bugzilla.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
bhwong
Advanced member
Advanced member
Posts: 151
Joined: Thu Feb 27, 2014 8:40 pm

How to protect accounts that frequently get locked out?

Postby bhwong » Mon May 25, 2015 5:25 am

FYI, most of these suggestions have already been made in bugzilla without any progress. Please help to vote for them!

add an alert on multiple login failure on any accounts into the daily email report or email such alerts immediately:
https://bugzilla.zimbra.com/show_bug.cgi?id=88527,

block IP address where the multiple login failure origin:
https://bugzilla.zimbra.com/show_bug.cgi?id=53635

have the origin IP shown in the Zimbra Admin Console showing source IP of the sender instead of completely useless info of 127.0.0.1 as origin ip for all email transactions:
https://bugzilla.zimbra.com/show_bug.cgi?id=77949

option to block IP, domain and email addresses in the MTA settings:
https://bugzilla.zimbra.com/show_bug.cgi?id=75039

option to prevent faking of sender domain or only allow outgoing email where sender domain must match the hosted domain in the server, also block all incoming emails with invalid domains, including valid domains that do not match their origin IP addresses:
https://bugzilla.zimbra.com/show_bug.cgi?id=53852

Meanwhile, what else can we do?

phoenix
Ambassador
Ambassador
Posts: 26711
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

How to protect accounts that frequently get locked out?

Postby phoenix » Mon May 25, 2015 5:27 am

Vote on them and wait for their resolution and possible inclusion on a future product.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to protect accounts that frequently get locked out?

Postby jorgedlcruz » Tue May 26, 2015 8:57 am

Hi bhwong,


I know that is not enough, but did you try the next feature? At least you keep noticed of the Brute Force attacks before a user call you - https://wiki.zimbra.com/wiki/Zmauditswatch


I've already vote the previous Bugs.


Best regards

Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
bhwong
Advanced member
Advanced member
Posts: 151
Joined: Thu Feb 27, 2014 8:40 pm

How to protect accounts that frequently get locked out?

Postby bhwong » Tue May 26, 2015 9:46 pm

Thanks Jorge for voting for them! Unfortunately, I'm still on Zimbra 7, so this feature is not available right?



May I also ask about the upgrade process here or should I open a new thread instead? Just want to find will there any difference between both upgrade options below?



1. Upgrade Zimbra from 7 to 8 (Ubuntu 10 edition)

2. Upgrade Ubuntu from 10 to 12

3. Reinstall Zimbra 8 (Ubuntu 12 edition)



Option 1:

4. Upgrade Ubuntu from 12 to 14

5. Reinstall Zimbra 8 (Ubuntu 14 edition)

6. Upgrade Zimbra from 8 to 8.6 (Ubuntu 14 edition)



Option 2:

4. Upgrade Zimbra from 8 to 8.6 (Ubuntu 12 edition)

5. Upgrade Ubuntu from 12 to 14

6. Reinstall Zimbra 8.6 (Ubuntu 14 edition)



btw, I "upgraded" Zimbra 7 from Ubuntu 8 to Ubuntu 10 recently only and have been experiencing Zimbra services freezing up that cannot be resolved by rebooting, but by executing "zmcontrol restart", not to mention that this only occur on Saturdays and Zimbra support is unable to identify the cause yet. Thus, I may not want to jump versions and risk destabilized Zimbra.
bhwong
Advanced member
Advanced member
Posts: 151
Joined: Thu Feb 27, 2014 8:40 pm

How to protect accounts that frequently get locked out?

Postby bhwong » Wed Jun 10, 2015 1:49 am

I understand most companies have a general email account such as sales@company.com etc. How do you protect such publicly known email accounts from getting hacked?



One idea we have is to create them as alias or distribution list so that hackers cannot do a Brute Force attacks upon these accounts since these email accounts do not have a login function. But how do we send out email using these non-accounts? Can Persona resolve this issue?
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 948
Joined: Sat Sep 13, 2014 12:47 am

How to protect accounts that frequently get locked out?

Postby liverpoolfcfan » Wed Jun 10, 2015 5:09 am

In my experience the biggest culprit in locking out accounts is users having devices synced to their account, and changing their password without updating their devices. You don't necessarily want to lock these IPs out.
sandmik
Posts: 7
Joined: Thu Oct 30, 2014 7:03 am

How to protect accounts that frequently get locked out?

Postby sandmik » Tue Aug 25, 2015 3:53 am

The most important thing, to allow us to have a different username to login than the email address on the account.



Or alternatively this can be achieved by having the option to disallow logins using aliases.
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 220
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3829.UBUNTU14.64 -Patch 1

Re: How to protect accounts that frequently get locked out?

Postby davidkillingsworth » Thu Apr 09, 2020 3:29 am

Does anybody know if https://wiki.zimbra.com/wiki/Zmauditswatch has been updated or is working in Zimbra 8.8.15?

Additionally, what do we do with this information once we are aware that someone is brute forcing accounts?


Thanks,
David

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 21 guests