Links to below you maybe likes:
- zimbra custom spamassassin rules
- How to create auto Bcc for Recipient mails for Zimbra 8.6
- How to add spam filters on zimbra 8.6
- How to create auto Bcc for sender mails for Zimbra 8.6
- list accounts that has not logged in for the last x days in zimbra
yum install fail2ban nanoTo backup file
cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports.conf.backupTo create zimbra.conf file
cp /etc/fail2ban/filter.d/zimbra.conf /etc/fail2ban/filter.d/zimbra.conf.backup
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup
cat /etc/fail2ban/filter.d/zimbra.confThe content as below
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:
# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
To create the rules for Zimbra jail.conf file
nano /etc/fail2ban/jail.conf fileThe content as bellow
# Fail2Ban configuration fileTo edit sendmail.conf file use for zimbra
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
## The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
#ignoreip = 127.0.0.1/8 ip_public/32
ignoreip = 127.0.0.1/8 172.16.235.150/32
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto
# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected];[email protected]]
logpath = /var/log/messages
maxretry = 5
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected];[email protected]]
logpath = /var/log/zimbra.log
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".
[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, [email protected];[email protected]]
ignoreregex = for myuser from
logpath = /var/log/messages
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, [email protected];[email protected]]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, [email protected];[email protected]]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, [email protected];[email protected]]
logpath = /var/log/zimbra.log
#findtime = 604800
bantime = 172800
maxretry = 5
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, [email protected];[email protected]]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5
#[sasl]
#enabled = true
#port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
#filter = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
#logpath = /var/log/zimbra.log
vim /etc/fail2ban/action.d/sendmail.confThe content as bellow
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>into
Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>To restart fail2ban service
service fail2ban restartThe log error not installed fail2ban
2017-07-13 10:36:30,776 INFO [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [[email protected]], invalid passwordThe log error with zimbra mail server fail2ban
2017-07-13 10:36:30,777 INFO [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=15
2017-07-13 10:36:53,229 INFO [qtp509886383-103:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [[email protected]], invalid password
2017-07-13 10:36:53,231 INFO [qtp509886383-103:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=3
2017-07-13 10:37:04,468 INFO [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [[email protected]], invalid password
2017-07-13 10:37:04,468 INFO [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=2
2017-07-13 10:37:13,388 INFO [qtp509886383-111:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [[email protected]], invalid password
# fail2ban-client status
Status
|- Number of jail: 4
`- Jail list: postfix, zimbra-account, zimbra-audit, zimbra-recipient
Thanks for reading zimbra mail server security fail2ban My blog Effortless Zimbra Mail Management: Unleashing the Power of Linux Commands, How-To, and Bash Scripts I hope this is useful.
