Zimbra
I am trying to make fail2ban work with zimbra, I have many accounts that are blocked by failed attempts, add this filter to fail2ban, but I can not block the ip.
imap.conf
Fail2Ban configuration file
#
Author: Cyril Jaquier
#
$Revision: 510 $
#
[Definition]
failregex = [ip=<host>;] imaps - authentication failed for .* (invalid password)$</host>
ignoreregex =
jail.conf
[imap]
enabled = true
port = imaps
filter = imap
action = iptables-multiport[name=Imap, port=imaps, protocol=tcp]
logpath = /opt/zimbra/log/mailbox.log
bantime = 628800
maxretry = 3
any idea o help?
3 Replies
Greetings @rickygm,
We recommending making these changes in a .local file.
Fail2ban reads .conf configuration files first, then .local files override any settings. Because of this, all changes to the configuration are generally done in .local files, leaving the .conf files untouched.
The following command will copy the default configuration profile to a .local file.
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
Now that you are working in a .local file, we would like to confirm that you are attempting to block failed log in attempts for the webpanel or the mail client?
How did you write your regex? Did you base it off of the log file that contains zimbra login attempts? If any of the syntax is wrong, this would cause the fail2ban action to fail as well.
If you are using DNS here you could be blocking the wrong IPs due to the asymmetric nature of reverse DNS (that the application used to write the domain name to log) compared to forward DNS that fail2ban uses to resolve this back to an IP (but not necessarily the same one). Ideally you should configure your applications to log a real IP. You can learn more about the 'usedns' parameter here.
https://www.systutorials.com/docs/linux/man/5-jail.conf/#lbAE
Fail2ban also only bans attempts for SSH on port 22 by default. Make sure that your filter and port values are correct. You can use our guide to double check.
https://www.linode.com/docs/security/using-fail2ban-for-security/#other-jail-configuration
You can read more about securing Zimbra with fail2ban here:
https://www.vavai.net/2011/10/tips-improving-zimbra-mail-server-security-with-fail2ban/
Best,
Preston
Linode Support Team
thanks for your answer, I made the change of .conf > jail.local
see the log of my Zimbra server , audit.log
protocol=imap; error=authentication failed for [usuario2@midominio.com.org], invalid password;
2018-10-05 21:25:32,164 WARN [ImapSSLServer-5] [ip=192.168.11.30;oip=213.254.22.220;via=192.168.11.32(nginx/1.7.1);ua=Zimbra/8.8.8GA3008;cid=109;] security - cmd=Auth; account=usuario2@midominio.com.org; protocol=imap; error=authentication failed for [usuario2@midominio.com.org], invalid password;
2018-10-05 21:25:55,269 WARN [ImapSSLServer-5] [ip=192.168.11.30;oip=177.37.80.30;via=192.168.11.32(nginx/1.7.1);ua=Zimbra/8.8.8GA3008;cid=110;] security - cmd=Auth; account=usuario3@midominio.com.org; protocol=imap; error=authentication failed for [usuario3@midominio.com.org], invalid password;
2018-10-05 21:25:58,281 WARN [ImapSSLServer-5] [ip=192.168.11.30;oip=212.233.118.58;via=192.168.11.32(nginx/1.7.1);ua=Zimbra/8.8.8GA3008;cid=111;] security - cmd=Auth; account=usuario2@midominio.com.org; protocol=imap; error=authentication failed for [usuario2@midominio.com.org], invalid password;
with this change, Im blocking attempts to ssh, but not those of zimbra , I always use no in the usedns option, I think it consumes more resources if I leave it in warn.
look my jail.local
[ssh-iptables]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
action = iptables-allports[name=SSH-iptables]
sendmail[name=SSH, dest=$MAILADMIN]
maxretry = 3
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 3
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-recipient]
logpath = /var/log/zimbra.log
findtime = 604800
bantime = 172800
maxretry = 3
[imap]
enabled = true
port = imaps
filter = imap
action = iptables-multiport[name=Imap, port=imaps, protocol=tcp]
logpath = /opt/zimbra/log/mailbox.log
bantime = 628800
maxretry = 3
zimbra filter
[Definition]
Option: failregex
Notes.: regex to match the password failures messages in the logfile. The
host must be matched by a group named "host". The tag "<host>" can</host>
be used for standard IP/hostname matching and is only an alias for
(?:::f{4,6}:)?(?P<host>[\w-.^_]+)</host>
Values: TEXT
failregex = [ip=<host>;] account – authentication failed for .* (no such account)$
[ip=<host>;] security – cmd=Auth; .* error=authentication failed for ., invalid password;$
[ip=<host>;] security – cmd=AdminAuth; .</host> error=authentication failed for ., invalid password;$
[ip=<host>;] security – cmd=Auth; .</host> error=authentication failed for ., account lockout$
[ip=<host>;] account – authentication failed for .</host> (account lockout)$
;oip=<host>;.* security – cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
[oip=<host>;.* SoapEngine – handler exception: authentication failed for ., account not found$
WARN .ip=<host>;ua=ZimbraWebClient .* security – cmd=AdminAuth; .* error=authentication failed for .;$
WARN [.] [name=.;ip=<host>;ua=.</host>;] security - cmd=Auth; account=.; protocol=.; error=., invalid password;
INFO .ip=<host>;ua=zclient.] . authentication failed for [.], (invalid password|account not found)+$
NOQUEUE: reject: RCPT from .[<host>]: 550 5.1.1 .*: Recipient address rejected:</host></host></host></host></host></host></host>
Option: ignoreregex
Notes.: regex to ignore. If this regex matches, the line is ignored.
Values: TEXT
ignoreregex =
thank for you support