Hi guys,
I’m having a multi-server Zimbra environment as follow: 1 LDAP + 2 MTA + 2 MAILBOX + 1 PROXY.
I’m setting Fail2Ban on Zimbra 8.8 with Centos 7 to prevent the brute force attacks.
I’m following this article http://linux-sys-adm.com/how-to-configu ... p-by-step/. But, I am seeing that this post only working for a single server environment. Let me explain to you.
These logs are stored at Mailbox Server.
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-account]
sendmail[name=Zimbra-account, dest=mslavov@linux-sys-adm.com]
logpath = /opt/zimbra/log/mailbox.log
bantime = -1
maxretry = 4
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
sendmail[name=Zimbra-audit, dest=mslavov@linux-sys-adm.com]
logpath = /opt/zimbra/log/audit.log
bantime = -1
maxretry = 2
This log is being stored at MTA Server.
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=mslavov@linux-sys-adm.com]
logpath = /var/log/maillog
bantime = -1
maxretry = 5
So, can I ask you the question?
Can you please let me know where is being installed Fail2Ban? MTA or Mailbox or both on 2 servers? I have read every article on setting up Fail2Ban and they are all different.
Can you please share for me these Fail2Ban configuration files as ( /etc/fail2ban/jail.conf, /etc/fail2ban/filter.d/zimbra.conf, and /etc/fail2ban/action.d/iptables-allports.conf) are working on multi server environment?
Fail2Ban on Zimbra 8.8 with Centos 7
- Peter Parker
- Posts: 8
- Joined: Mon Apr 09, 2018 2:06 am
- Location: Vietnam
Re: Fail2Ban on Zimbra 8.8 with Centos 7
In a multiserver zimbra installation, I installed fail2ban and ipset-blacklist at every zimbra server.
/etc/fail2ban/action.d/iptables-common.conf - this file is a part of standart fail2ban distribution, and it is not intended to be edited by admin.
iptables-common.local- this could be edited (but not needed, as usually iptables works the same way at all linuxes):
Fail2ban is still single-server based software, If IP is blocked on first server, it will not be blocked on the other server in the intranet.
You could possible have a look at at ipset-blacklist, it helped me alot to harden zimbra installation.
example of /etc/fail2ban/jail.d/zimbra.conf:
example of /etc/fail2ban/filter.d/zimbra.conf:
/etc/fail2ban/action.d/iptables-common.conf - this file is a part of standart fail2ban distribution, and it is not intended to be edited by admin.
iptables-common.local- this could be edited (but not needed, as usually iptables works the same way at all linuxes):
Fail2ban is still single-server based software, If IP is blocked on first server, it will not be blocked on the other server in the intranet.
You could possible have a look at at ipset-blacklist, it helped me alot to harden zimbra installation.
example of /etc/fail2ban/jail.d/zimbra.conf:
Code: Select all
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, dest=admin@zimbra.com]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=admin@zimbra.com]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=admin@zimbra.com]
logpath = /var/log/zimbra.log
#findtime = 604800
bantime = 172800
maxretry = 5
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=admin@zimbra.com]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5
Code: Select all
[Definition]
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* missing userPassword;$