Page 1 of 1

How to manage huge amount of Authentication Failure?

Posted: Fri Jul 08, 2016 2:50 am
by bhwong
Our Zimbra server has an average of about 10-20k of authentication failure attempts everyday, trying to login to our accounts by guessing their passwords with bots. As we have difficulty upgrading our Ubuntu from version 10 to 12 due to unauthenticated packages found error, we are unable to enjoy the two factor authentication feature.

We have tried many methods to manage these. Zmauditswatch is helping because it email alert to us whenever there is such attempts detected. Unfortunately, it only reveal our Zimbra IP address instead of the source IP. I have to manually download the zimbra.log where the source IPs are located, and retrieve the source IP to block it on our firewall. This is time consuming.

1. Is there a better way to block source IP that has too many failed login attempt?
2. How can we configure Zmauditswatch to show the source IP instead of our Zimbra IP?
3. Has anyone done a script to automatically retrieve the source IPs from the Zimbra log?
4. Or is there any 3rd party log collection software such as Splunk etc, that can automate this?

We have also deploy lockout feature when the accounts will get lockout once there is more than 5 failed attempt, so that these bots do not get to keep trying too many passwords to crack in. However, this cause inconvenient to the users as we have to keep unlock the accounts for them as well. Not to mention time consuming for us as well.

I hope there is better workaround, else we may seriously considering migrating out to Office 365 Exchange or Google Mail to save up our manhours to handle other IT tasks on hands.

Re: How to manage huge amount of Authentication Failure?

Posted: Fri Jul 08, 2016 4:09 pm
by liverpoolfcfan
You can use fail2ban to monitor the log files and automatically block offending IP addresses.

Re: How to manage huge amount of Authentication Failure?

Posted: Fri Jul 08, 2016 4:31 pm
by howanitz

Re: How to manage huge amount of Authentication Failure?

Posted: Fri Mar 10, 2017 4:16 am
by bhwong
I have a workable solution here: viewtopic.php?f=15&t=61542

Re: How to manage huge amount of Authentication Failure?

Posted: Mon Oct 01, 2018 5:33 am
by rojoblandino
liverpoolfcfan wrote:You can use fail2ban to monitor the log files and automatically block offending IP addresses.


That would work only if the attacker use the same ip but it does not work when every minute it comes from a new ip without repeating it self.

How would you block something you do not know where will come from?

I have been thinking how by firewall stop any auth on unclear smt ports. But until now i am on develop of that solution, and closing the gap to locally auth.