Zimbra Iptables+Fail2Ban correct regex

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
TitusI
Posts: 21
Joined: Fri Apr 15, 2016 2:54 pm

Zimbra Iptables+Fail2Ban correct regex

Postby TitusI » Tue Nov 14, 2017 1:49 pm

I've deployed zimbra to a new server to migrate a old server:
Release 8.7.11_GA_1854.RHEL7_64_20170531151956 RHEL7_64 FOSS edition.

I've setup iptables using the rule in the official zimbra howto

Code: Select all

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s XX.XX.XX.XX/32 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m multiport -p tcp --dports 67,68,135,137,138,139,445,631,1025 -j DROP
-A RH-Firewall-1-INPUT -m multiport -p udp --dports 67,68,135,137,138,139,445,631,1025 -j DROP
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# enable ssh and snmp
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s XX.XX.XX.XX
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s XX.XX.XX.XX
# enable zimbra ports
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s XX.XX.XX.XX
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s XX.XX.XX.XX/32
# reject everything else
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


Now I want to setup fail2ban, but no rules seems to match my log file.
My actual filter.d/zimbra.conf is

Code: Select all

# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
                        \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                        \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
                        WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
                        NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =


I've tried different regex using fail2ban-regex against different log file, but nothing matched! :(
in the mailbox log (/opt/zimbra/log/mailbox.log) I see line like:
2017-11-14 14:25:26,005 INFO [qtp127618319-44766:https:https://xxxxxxxxxxxxxxxxxxxxxxxxx.xx:7073/service/admin/soap/] [] misc - Access from IP XX.XX.XX.XX suspended, for repeated failed login.

but iptables jail are clean! Who is banning?

Can you please give me a regex to match line like:

2017-11-09 17:02:51,601 INFO [qtp127618319-185:http://localhost:8080/service/soap/AuthRequest] [name=address.xx;oip=XX.XX.XX.XX;ua=zclient/8.7.11_GA_1854;] SoapEngine - handler exception: authentication failed for [xxx@xxxx.xx], invalid password

The iptables configuration is correct?

Thank you in advance! :D


Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 17 guests