How to manage huge amount of Authentication Failure?
Posted: Fri Jul 08, 2016 2:50 am
Our Zimbra server has an average of about 10-20k of authentication failure attempts everyday, trying to login to our accounts by guessing their passwords with bots. As we have difficulty upgrading our Ubuntu from version 10 to 12 due to unauthenticated packages found error, we are unable to enjoy the two factor authentication feature.
We have tried many methods to manage these. Zmauditswatch is helping because it email alert to us whenever there is such attempts detected. Unfortunately, it only reveal our Zimbra IP address instead of the source IP. I have to manually download the zimbra.log where the source IPs are located, and retrieve the source IP to block it on our firewall. This is time consuming.
1. Is there a better way to block source IP that has too many failed login attempt?
2. How can we configure Zmauditswatch to show the source IP instead of our Zimbra IP?
3. Has anyone done a script to automatically retrieve the source IPs from the Zimbra log?
4. Or is there any 3rd party log collection software such as Splunk etc, that can automate this?
We have also deploy lockout feature when the accounts will get lockout once there is more than 5 failed attempt, so that these bots do not get to keep trying too many passwords to crack in. However, this cause inconvenient to the users as we have to keep unlock the accounts for them as well. Not to mention time consuming for us as well.
I hope there is better workaround, else we may seriously considering migrating out to Office 365 Exchange or Google Mail to save up our manhours to handle other IT tasks on hands.
We have tried many methods to manage these. Zmauditswatch is helping because it email alert to us whenever there is such attempts detected. Unfortunately, it only reveal our Zimbra IP address instead of the source IP. I have to manually download the zimbra.log where the source IPs are located, and retrieve the source IP to block it on our firewall. This is time consuming.
1. Is there a better way to block source IP that has too many failed login attempt?
2. How can we configure Zmauditswatch to show the source IP instead of our Zimbra IP?
3. Has anyone done a script to automatically retrieve the source IPs from the Zimbra log?
4. Or is there any 3rd party log collection software such as Splunk etc, that can automate this?
We have also deploy lockout feature when the accounts will get lockout once there is more than 5 failed attempt, so that these bots do not get to keep trying too many passwords to crack in. However, this cause inconvenient to the users as we have to keep unlock the accounts for them as well. Not to mention time consuming for us as well.
I hope there is better workaround, else we may seriously considering migrating out to Office 365 Exchange or Google Mail to save up our manhours to handle other IT tasks on hands.