[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP Change Log

To: William Froning <wfroning@aus.edu>
Subject: Re: LDAP Change Log
From: "James M. Cook" <jmcook1@mail.plymouth.edu>
Date: Tue, 28 May 2013 08:38:09 -0400 (EDT)
Cc: Zimbra Higher-Ed Admins <zimbra-hied-admins@sfu.ca>
In-reply-to: <22EA68B1-4B6F-4124-A73C-D395EB485379@carleton.edu>
List-help: <mailto:zimbra-hied-admins-request@sfu.ca?subject=help> (List Instructions)
List-id: <zimbra-hied-admins.sfu.ca>
List-owner: <mailto:owner-zimbra-hied-admins@sfu.ca>
List-unsubscribe: <mailto:zimbra-hied-admins-request@sfu.ca?subject=unsubscribe>
References: <1362416082.10343173.1369541356313.JavaMail.root@aus.edu> <22EA68B1-4B6F-4124-A73C-D395EB485379@carleton.edu>
Thread-index: 8B62VVYj2hN4ZX2YVgwr0gMceENw1Q==
Thread-topic: LDAP Change Log

We have a script that searches mailbox.log regularly and checks for ModifyPrefs. On a match the user's account is examined for signs that it has been compromised (usually phished in our case). The script determines if the account has been compromised by looking at the settings Keith mentioned as well as a few others. If the account has been compromised, it is locked, the session expired, and an e-mail is sent to the admins.

We've had a pretty high success rate using this script. We do occasionally have some false positives but tweaking the script from time to time is easier than dealing with being blacklisted.

Rich, out of curiosity, how many users do you have? We have ~18,000 spread over three mailbox servers. I'm wondering if searching ldap would be more efficient.

James

----- Original Message -----
> From: "Rich Graves" <rgraves@carleton.edu>
> To: "Zimbra Higher-Ed Admins" <zimbra-hied-admins@sfu.ca>
> Sent: Sunday, May 26, 2013 3:55:24 PM
> Subject: Re: LDAP Change Log
> 
> If you have a lot of users and your server is heavily loaded, then maybe you
> should watch mailbox.log for ModifyPrefs (check tour log for exact message)
> and scan just those accounts. We don't bother. Running raw ldapsearch
> (without the zmprov ga Java overhead) is fast enough that we can search all
> accounts every few minutes.
> 
> A terse account of other things we do is at:
> http://www.sans.org/reading_room/whitepapers/email/phishing-detecton-remediation_34082
> 
> On May 25, 2013, at 11:11 PM, William Froning <wfroning@aus.edu> wrote:
> 
> > Hello All,
> > 
> > I was wondering how you all are monitoring LDAP change events. I can't seem
> > to find the right log (if it is even enabled) to watch for account changes
> > that might suggest a compromised account.
> > 
> > We are running 7.2.1. Any assistance is welcome.
> > 
> > Thanks,
> > Will
> > 
> > --
> > Will Froning
> > Information Security Manager
> > Office of the Vice Chancellor for Finance and Administration
> > 
> > 
> > American University of Sharjah
> > 
> > Tel +971 6 515 2124
> > Mob +971 50 737 1599
> > Fax +971 6 515 2120
> > PO Box 26666, Sharjah
> > United Arab Emirates
> > http://www.aus.edu
> > wfroning@aus.edu
>

Follow-Ups:
- Re: LDAP Change Log
  - From: Rich Graves <rgraves@carleton.edu>

References:
- LDAP Change Log
  - From: William Froning <wfroning@aus.edu>
- Re: LDAP Change Log
  - From: Rich Graves <rgraves@carleton.edu>

Prev by Date: Re: LDAP Change Log
Next by Date: Re: LDAP Change Log
Previous by thread: Re: LDAP Change Log
Next by thread: Re: LDAP Change Log
Index(es):
- Date
- Thread