compromised accounts issue

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
padraig
Outstanding Member
Outstanding Member
Posts: 375
Joined: Fri Sep 12, 2014 10:13 pm

compromised accounts issue

Postby padraig » Mon Oct 08, 2012 11:30 am

We have had a number of user accounts compromised - due mainly to users clicking on SPAM links -
Is it possible to create an alert script, to tell us if a user account sent more than a specific (large) amount of e-mails in a set time frame (say 1~2hrs)

this could act as an early warning that a user account has been compromised.


xaqar
Posts: 11
Joined: Sat Sep 13, 2014 1:24 am

compromised accounts issue

Postby xaqar » Tue Oct 09, 2012 3:04 pm

We use postfwd running on another server.

postfwd - postfix firewall daemon

We have it set up to count messages sent from each account, and it blocks sending if it reaches a threshold. I also have it scripted to send me hourly reports of top senders, which are periodically checked for anomalies. Glad to hear (or sorry to hear) that someone else has the same problem from their users.
vadonka
Posts: 31
Joined: Sat Sep 13, 2014 2:20 am

compromised accounts issue

Postby vadonka » Tue Oct 09, 2012 5:27 pm

CBpolicyd integrated with zimbra, you only need a few steps to activate, it can be configurable from a web interface.

-enabling-cbpolicyd-zimbra-7-1-1-a.html
7310pyperdown
Posts: 31
Joined: Fri Sep 12, 2014 10:02 pm

compromised accounts issue

Postby 7310pyperdown » Thu Jun 27, 2013 5:49 pm

This is a bit brute force, but it works. I have it set to run every 5 minutes in a cron job. If an account authenticates more than 5 times in a minute, the account is locked and an email sent to the admin. I'm a bit irritated with users who blithely go clicking on whatever and don't pay attention.
UPDATE: I added a pipe through sed to remove multiple spaces from the log entries as it was throwing off the awk column numbers, as well as only modifying active accounts.


#!/bin/bash

# checks log file and gets a count of authentications sent per minute, per user

# and if the count exceeds the maxmails value the user's account is locked.
logfile="/var/log/zimbra.log"

maxmails="10"

mydomain="example.com"

support="techsupport@$mydomain"

accounts="/tmp/active_accounts"
su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
zgrep -i "auth ok" $logfile | sed 's/ / /g' | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -n |

while read line

do

count=`echo ${line} | cut -d' ' -f 1`

userid=`echo ${line} | cut -d' ' -f 3`

timestamp=`echo ${line} | cut -d' ' -f 2`

active=`grep "$userid@$mydomain" $accounts`
if [ "$count" -gt "$maxmails" ] && [ "$active" == "$userid@$mydomain" ]; then

echo "Maximum email rate exceeded, $userid@$mydomain will be locked"

su zimbra -c "/opt/zimbra/bin/zmprov ma $userid@$mydomain zimbraAccountStatus locked"

subject="$userid account locked due to excessive connections"

# Email text/message

message="/tmp/emailmessage.txt"

echo "$userid account has been locked as there were $count connections made at"> $message

echo "$timestamp. Please have the user change their password, and check for phishing" >>$message

echo "emails if possible." >>$message

# send an email using /bin/mail

/usr/bin/mail -s "$subject" "$support"
rm -f $message
#update list of active accounts

su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts

fi

done
rm -f $accounts
drwho18
Advanced member
Advanced member
Posts: 60
Joined: Fri Sep 12, 2014 10:33 pm

compromised accounts issue

Postby drwho18 » Tue Aug 06, 2013 7:59 pm

[quote user="7310pyperdown"]This is a bit brute force, but it works. I have it set to run every 5 minutes in a cron job. If an account authenticates more than 5 times in a minute, the account is locked and an email sent to the admin. I'm a bit irritated with users who blithely go clicking on whatever and don't pay attention.
UPDATE: I added a pipe through sed to remove multiple spaces from the log entries as it was throwing off the awk column numbers, as well as only modifying active accounts.


#!/bin/bash

# checks log file and gets a count of authentications sent per minute, per user

# and if the count exceeds the maxmails value the user's account is locked.
logfile="/var/log/zimbra.log"

maxmails="10"

mydomain="example.com"

support="techsupport@$mydomain"

accounts="/tmp/active_accounts"
su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
zgrep -i "auth ok" $logfile | sed 's/ / /g' | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -n |

while read line

do

count=`echo ${line} | cut -d' ' -f 1`

userid=`echo ${line} | cut -d' ' -f 3`

timestamp=`echo ${line} | cut -d' ' -f 2`

active=`grep "$userid@$mydomain" $accounts`
if [ "$count" -gt "$maxmails" ] && [ "$active" == "$userid@$mydomain" ]; then

echo "Maximum email rate exceeded, $userid@$mydomain will be locked"

su zimbra -c "/opt/zimbra/bin/zmprov ma $userid@$mydomain zimbraAccountStatus locked"

subject="$userid account locked due to excessive connections"

# Email text/message

message="/tmp/emailmessage.txt"

echo "$userid account has been locked as there were $count connections made at"> $message

echo "$timestamp. Please have the user change their password, and check for phishing" >>$message

echo "emails if possible." >>$message

# send an email using /bin/mail

/usr/bin/mail -s "$subject" "$support"
rm -f $message
#update list of active accounts

su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts

fi

done
rm -f $accounts
[/QUOTE]

Something isn't working right with this script on my box, what should line look like after the zgrep.

Return to “Administrators”

Who is online

Users browsing this forum: 8RydeR and 22 guests