Detecting brute force attacks on Zimbra with zmauditswatch
Zimbra 5.0.11 introduced the zmauditswatch script which notifies a specific e-mail address of a potential brute force attack if certain conditions are met. This is disabled by default and the documentation to enable it isn’t particularly clear, so here is a quick run through:
zmlocalconfig -e zimbra_swatch_notice_user=admin@domain.com
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=60
touch /opt/zimbra/conf/auditswatchrc
touch /opt/zimbra/conf/auditswatchrc.in
zmauditswatchctl start
Obviously use a relevant IP address and tweak the various thresholds appropriately to better suit your environment.