Zimbra Fail2ban Setup

 

How to install and configure Fail2ban for Zimbra mail server on CentOS.

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

Install Fail2ban on CentOS 7:

Ensure your system is up to date and install the EPEL repository:

# yum update
# yum install epel-release

Install Fail2ban:

# yum install fail2ban

 

Backup iptables-allports.conf, jail.conf files:

# cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports.conf.backup

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup

 

Create zimbra.conf file

# touch /etc/fail2ban/filter.d/zimbra.conf

with content below:

# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Create Zimbra jail.conf file

# touch /etc/fail2ban/jail.conf

with content as bellow:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
## The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
#ignoreip = 127.0.0.1/8 ip_public/32
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto

# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected];[email protected]]
logpath = /var/log/messages
maxretry = 5

# This jail forces the backend to "polling".

[sasl-iptables]

enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected];[email protected]]
logpath = /var/log/zimbra.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, [email protected];[email protected]]
ignoreregex = for myuser from
logpath = /var/log/messages

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, [email protected];[email protected]]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, [email protected];[email protected]]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5

[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, [email protected];[email protected]]
logpath = /var/log/zimbra.log
#findtime = 604800
bantime = 172800
maxretry = 5

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, [email protected];[email protected]]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5

#[sasl]
#enabled = true
#port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
#filter = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
#logpath = /var/log/zimbra.log

Dont forget change [email protected], [email protected] to your email address, also add your IP in ignoreip = field.

Edit /etc/fail2ban/action.d/sendmail.conf  file:

Change row – Fail2Ban” | /usr/sbin/sendmail -f <sender> <dest> into:

Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>

 

Start and enable Fail2ban:

# systemctl start fail2ban

# systemctl enable fail2ban

 

Gets the current status:

# fail2ban-client status

 

 

 

 

If you like what you are reading, please:

Buy me a coffee