Hi All
Just taken on a site with single server Zimbra 8.5.0. We intend to build a new box later in the year but the current box has the proxy service installed and we would like to use fail2ban. Fail2ban won't work as all the ip's for web access show as the server address due to the proxy.
Can I see that you can untick the service in the gui. If I do this and restart the services will it continue to as if we had not installed the proxy in the 1st place?
Alternatively does anyone know how to get the fail2ban to block ip's when it's using a proxy.
Thanks
Remove Proxy?
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Remove Proxy?
Proxy is required now, even for single-server installs. Nginx is generally considered to be straightforward to secure, and comes pretty secure out of the box.glenn_btn wrote:Hi All
Just taken on a site with single server Zimbra 8.5.0. We intend to build a new box later in the year but the current box has the proxy service installed and we would like to use fail2ban. Fail2ban won't work as all the ip's for web access show as the server address due to the proxy.
Can I see that you can untick the service in the gui. If I do this and restart the services will it continue to as if we had not installed the proxy in the 1st place?
Alternatively does anyone know how to get the fail2ban to block ip's when it's using a proxy.
Thanks
Zimbra's DoSFIlter now supports IP blocking, so really IMHO the only reason to use fail2ban any more is to block IPs trying to log in via SSH. But if you configure SSH on the server to allow only passwordless logins (via keys), then you don't need fail2ban at all. And if you don't need fail2ban, and you have a firewall in front of Zimbra that allows only Zimbra's public-server ports, then you don't need to run iptables, ufw, or firewalld on the Zimbra server itself.
Hope that helps,
Mark
P.S. 8.5.0 is no longer supported and has known security vulnerabilities that will never be fixed. Better to migrate to a newer, supported Zimbra system...
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate