Zimbra Fail2ban Setup

Zimbra Fail2ban Setup


How to install and configure Fail2ban for Zimbra mail server on CentOS.

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

Install Fail2ban on CentOS 7:

Ensure your system is up to date and install the EPEL repository:

# yum update
# yum install epel-release

Install Fail2ban:

# yum install fail2ban


Backup iptables-allports.conf, jail.conf files:

# cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports.conf.backup

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup


Create zimbra.conf file

# touch /etc/fail2ban/filter.d/zimbra.conf

with content below:

# Fail2Ban configuration file
# Author:
# $Revision: 1 $


# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

Create Zimbra jail.conf file

# touch /etc/fail2ban/jail.conf

with content as bellow:

# Fail2Ban configuration file
# Author: Cyril Jaquier
# $Revision: 747 $
## The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
#ignoreip = ip_public/32
ignoreip =
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto

# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.


enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected];[email protected]]
logpath = /var/log/messages
maxretry = 5

# This jail forces the backend to "polling".


enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected];[email protected]]
logpath = /var/log/zimbra.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".


enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, [email protected];[email protected]]
ignoreregex = for myuser from
logpath = /var/log/messages

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, [email protected];[email protected]]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, [email protected];[email protected]]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5

enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, [email protected];[email protected]]
logpath = /var/log/zimbra.log
#findtime = 604800
bantime = 172800
maxretry = 5

enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, [email protected];[email protected]]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5

#enabled = true
#port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
#filter = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
#logpath = /var/log/zimbra.log

Dont forget change [email protected][email protected] to your email address, also add your IP in ignoreip = field.

Edit /etc/fail2ban/action.d/sendmail.conf  file:

Change row – Fail2Ban” | /usr/sbin/sendmail -f <sender> <dest> into:

Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>


Start and enable Fail2ban:

# systemctl start fail2ban

# systemctl enable fail2ban


Gets the current status:

# fail2ban-client status





If you like what you are reading, please:

Buy me a coffeeBuy me a coffee



Leave a Reply