How to protect Zimbra against postfix AUTH DoS attacks

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
MartinsBonders
Posts: 22
Joined: Wed May 18, 2016 8:12 am

How to protect Zimbra against postfix AUTH DoS attacks

Post by MartinsBonders »

Hello!

What would be the best way to protect Zimbra 8.6 from postfix AUTH DoS attacks? Like this:

Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: How to protect Zimbra against postfix AUTH DoS attacks

Post by phoenix »

How about fail2ban? There are details in the forums on that subject.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: How to protect Zimbra against postfix AUTH DoS attacks

Post by L. Mark Stone »

fail2ban I can confirm works great.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
MartinsBonders
Posts: 22
Joined: Wed May 18, 2016 8:12 am

Re: How to protect Zimbra against postfix AUTH DoS attacks

Post by MartinsBonders »

Is there some approved manual how to setup Zimbra + fail2ban? Because forum have some pieces of configs.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: How to protect Zimbra against postfix AUTH DoS attacks

Post by phoenix »

The simple answer to that would be no, there isn't any Zimbra document for that. This isn't a function of ZCS and installing fail2ban would be a server admin task - I believe there's plenty details on the internet for configuring it.

For example, Centos7: https://search.yahoo.com/yhs/search?p=% ... mp=yhs-001
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: How to protect Zimbra against postfix AUTH DoS attacks

Post by L. Mark Stone »

Here is is the zimbra.conf file we use (in addition to some of the other jail conf files that come with fail2ban...)
root@mail:/etc/fail2ban/filter.d# cat zimbra.conf
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

root@mail:/etc/fail2ban/filter.d#
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
MartinsBonders
Posts: 22
Joined: Wed May 18, 2016 8:12 am

Re: How to protect Zimbra against postfix AUTH DoS attacks

Post by MartinsBonders »

Thank you, this looks very good!~:)

L. Mark Stone wrote:Here is is the zimbra.conf file we use (in addition to some of the other jail conf files that come with fail2ban...)
root@mail:/etc/fail2ban/filter.d# cat zimbra.conf
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

root@mail:/etc/fail2ban/filter.d#
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: How to protect Zimbra against postfix AUTH DoS attacks

Post by L. Mark Stone »

MartinsBonders wrote:Thank you, this looks very good!~:)

L. Mark Stone wrote:Here is is the zimbra.conf file we use (in addition to some of the other jail conf files that come with fail2ban...)
root@mail:/etc/fail2ban/filter.d# cat zimbra.conf
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

root@mail:/etc/fail2ban/filter.d#

You're very welcome; hope you get things sorted out!

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Xardas999
Posts: 8
Joined: Thu Oct 20, 2016 9:51 pm

Re: How to protect Zimbra against postfix AUTH DoS attacks

Post by Xardas999 »

Dear Sir Mark!

If I put this into filter.d directory as a file zimbra.conf, what should I enter in jail.local?
[zimbra]
enabled=true
... or something else? logs path, backend set up?

Thank you in advance!
Xardas999
Posts: 8
Joined: Thu Oct 20, 2016 9:51 pm

Re: How to protect Zimbra against postfix AUTH DoS attacks

Post by Xardas999 »

If I just add to jail.local
[zimbra]
enabled=true

and put this content to zimbra.conf

then fail2ban-client reload tells:
ERROR NOK: ("No 'host' group in '\\[ip=;\\] account \xe2\x80\x94 authentication failed for .* \\(no such account\\)$'",)


-------- REMARK:
this happens if you wrongly copy-pasted the config and the name <HOST> is missing. The above mentioned like must look:
\\[ip=<HOST>;\\] account \xe2\x80\x94 authentication failed for .* \\(no such account\\)$
Last edited by Xardas999 on Fri Oct 21, 2016 11:16 pm, edited 3 times in total.
Post Reply