Fail2Ban on Zimbra 8.8 with Centos 7

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
Peter Parker
Posts: 8
Joined: Mon Apr 09, 2018 2:06 am
Location: Vietnam

Fail2Ban on Zimbra 8.8 with Centos 7

Postby Peter Parker » Thu Jun 21, 2018 8:52 am

Hi guys,

I’m having a multi-server Zimbra environment as follow: 1 LDAP + 2 MTA + 2 MAILBOX + 1 PROXY.

I’m setting Fail2Ban on Zimbra 8.8 with Centos 7 to prevent the brute force attacks.

I’m following this article http://linux-sys-adm.com/how-to-configu ... p-by-step/. But, I am seeing that this post only working for a single server environment. Let me explain to you.

These logs are stored at Mailbox Server.
[zimbra-account]

enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-account]
sendmail[name=Zimbra-account, dest=mslavov@linux-sys-adm.com]
logpath = /opt/zimbra/log/mailbox.log
bantime = -1
maxretry = 4

[zimbra-audit]

enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
sendmail[name=Zimbra-audit, dest=mslavov@linux-sys-adm.com]
logpath = /opt/zimbra/log/audit.log
bantime = -1
maxretry = 2

This log is being stored at MTA Server.

[postfix]

enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=mslavov@linux-sys-adm.com]
logpath = /var/log/maillog
bantime = -1
maxretry = 5

So, can I ask you the question?

Can you please let me know where is being installed Fail2Ban? MTA or Mailbox or both on 2 servers? I have read every article on setting up Fail2Ban and they are all different.

Can you please share for me these Fail2Ban configuration files as ( /etc/fail2ban/jail.conf, /etc/fail2ban/filter.d/zimbra.conf, and /etc/fail2ban/action.d/iptables-allports.conf) are working on multi server environment?


User avatar
esafonov
Posts: 24
Joined: Tue Jul 05, 2016 3:38 am

Re: Fail2Ban on Zimbra 8.8 with Centos 7

Postby esafonov » Sun Nov 17, 2019 3:46 pm

In a multiserver zimbra installation, I installed fail2ban and ipset-blacklist at every zimbra server.

/etc/fail2ban/action.d/iptables-common.conf - this file is a part of standart fail2ban distribution, and it is not intended to be edited by admin.
iptables-common.local- this could be edited (but not needed, as usually iptables works the same way at all linuxes):

Fail2ban is still single-server based software, If IP is blocked on first server, it will not be blocked on the other server in the intranet.
You could possible have a look at at ipset-blacklist, it helped me alot to harden zimbra installation.


example of /etc/fail2ban/jail.d/zimbra.conf:

Code: Select all

[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, dest=admin@zimbra.com]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=admin@zimbra.com]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5

[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=admin@zimbra.com]
logpath = /var/log/zimbra.log
#findtime = 604800
bantime = 172800
maxretry = 5

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=admin@zimbra.com]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5


example of /etc/fail2ban/filter.d/zimbra.conf:

Code: Select all

[Definition]
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
                        \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                        \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
                        WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* missing userPassword;$

Return to “Administrators”

Who is online

Users browsing this forum: Majestic-12 [Bot] and 15 guests