zimbra - unusual login activity

Unusual login activity alert ke it-infra@abc.co.id, ketika ada user yang mengakses zimbra dengan IP Public dari luar Indonesia baik lewat imap, pop3, maupun web based.

create monitorip.sh

#!/bin/bash
tanggal=`date +%F`
datenow=`date +%F_%H%M`
auditlog="/opt/zimbra/log/audit.log"
Dir="/opt/zimbra/backup/scripts/MonIP"
DirLog="$Dir/logs"
[ -d $DirLog/$tanggal ] && echo "found, next" || mkdir -p $DirLog/$tanggal
DirLog="$DirLog/$tanggal"
filedatenow="$DirLog/audit-$datenow.log"
#datenow="2015-10-22_1058"
cp -a $auditlog $filedatenow

dateLLAgo=`date --date="-60 minutes" +%F_%H%M`
#dateLimolasAgo="2015-10-22_1057"
fileLLAgo="$DirLog/audit-$dateLLAgo.log"
rawIPnow="$DirLog/raw-$datenow.raw"
IPnow="$DirLog/IPnow-$datenow.txt"
filemail="$DirLog/sendmail.$datenow.txt"
if [ -f "$fileLLAgo" ];then
diff $fileLLAgo $filedatenow > $rawIPnow;
tail -n +2 $rawIPnow > $IPnow; 
echo "WARNING: Unusual login activity detected" >> $filemail
echo "-----------------------------------------" >> $filemail
        cat $IPnow | while read line;
        do
#               echo $line;
        #ip=`tail -f $testlog -n 1`
        ip=`echo $line | sed 's/.\+oip\=//' | cut -d \; -f 1`
        emailaddress=`echo $line | grep -EiEio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b'`
        echo $ip | grep "\@" > /dev/null
        if [ "$?" == "0" ];then
        #  echo "tidak ada ip: $ip"
          continue;
        else
        cc=`/usr/bin/geoiplookup -f $Dir/GeoIP.dat $ip | cut -d \, -f 2`
        echo $cc | grep "IP Address not found\|hostname" > /dev/null
                if [ "$?" == "0" ];then
                      continue;
                else
                          cc=`echo $cc | sed 's/ //g'`
                          if [ "$cc" != "Indonesia" ] 
                                then
                #                       echo "-----------------------------------------" >> $filemail
                                        echo "" >> $filemail
                                        echo "email account: $emailaddress" >> $filemail
                                        echo "ip:            $ip" >> $filemail
                                        echo "country:       $cc" >> $filemail
#                                       echo "-----------------------------------------" >> $filemail
                                        echo "$line " >> $filemail
                                        echo "" >> $filemail
                                        echo "" >> $filemail
                                        #echo "-----------------------------------------" >> $filemail
                                #     <send email notification>
                          fi
                fi
        fi
        done
        #awk '{ x = $2""$3"\t"$4; printf "%-10s %-10s\n", $1, x}' ${filemail} > ${filemail}.raw
        #mv ${filemail}.raw ${filemail}
                                /usr/bin/sendemail -f it-infra@abc.co.id -u "Warning: Zimbra Login Activity" -t it-infra@abc.co.id -o message-content-type=text -o message-file=$filemail -xu user -xp pass -s 192.168.2.2:587 -o tls=no
fi

tambahkan ke crontab, jalankan setiap satu jam.

0 * * * * /bin/bash -x /opt/zimbra/backup/scripts/MonIP/monitorip.sh 2>&1 | tee /opt/zimbra/backup/scripts/MonIP/logs/debug-cron`date +\%F_\%H\%M`.txt

results:

ss