Enabling Brutforce Notifications on Zimbra Mail Server
Like any other mail server’s Zimbra too is prone to SMTP brutforce attacks. Hackers around the world try to login to the SMTP servers with the most commonly used email ID’s like info, support etc… with random passwords. Once they are able to crack the actual passwords of the accounts, they will start sending SPAM emails from the server which affects the reputation of your domain and IP address.
There is a way to get notified whenever somebody tried to login to the server with incorrect passwords, this service is called Zmauditswatch
Follow the below steps to enable the same on your Zimbra server
Note: All the below commands should be run from Zimbra user only.
1. Setup the notification email, all the brutforce alerts will be sent to this email ID
zmlocalconfig -e firstname.lastname@example.org
2. Now configure the brutforce thresholds
zmlocalconfig -e zimbra_swatch_ipacct_threshold=20 zmlocalconfig -e zimbra_swatch_acct_threshold=30 zmlocalconfig -e zimbra_swatch_ip_threshold=40 zmlocalconfig -e zimbra_swatch_total_threshold=80 zmlocalconfig -e zimbra_swatch_threshold_seconds=3600
3. Start the Zmauditswatch service
That’s it … once the above configurations are done, you will start receiving notifications whenever there is a brutforce on the server.