Huu Phan | Blog Linux operating system | Linux operating system -Blog Huu Phan | www.huuphan.com

This Blog is protected by DMCA.com

huuphan.com. Powered by Blogger.

zimbra mail server security fail2ban

zimbra mail server security with fail2ban. How to configure fail2ban for prevent "brute force attack" zimbra 8.6 on centos. How to improve zimbra mail server security with fail2ban . I'm running commands as root account.
Links to below you maybe likes:
zimbra mail server security fail2ban





To install fail2ban
yum install fail2ban nano
To backup file
cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports.conf.backup
cp /etc/fail2ban/filter.d/zimbra.conf /etc/fail2ban/filter.d/zimbra.conf.backup
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup
To create zimbra.conf file
cat /etc/fail2ban/filter.d/zimbra.conf
The content as below
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
                        \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                        \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
                        WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
                        NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

To create the rules for Zimbra jail.conf  file
nano /etc/fail2ban/jail.conf file
The content as bellow
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
## The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
#ignoreip = 127.0.0.1/8 ip_public/32
ignoreip = 127.0.0.1/8 172.16.235.150/32
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto

# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected];[email protected]]
logpath = /var/log/messages
maxretry = 5

# This jail forces the backend to "polling".

[sasl-iptables]

enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected];[email protected]]
logpath = /var/log/zimbra.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, [email protected];[email protected]]
ignoreregex = for myuser from
logpath = /var/log/messages

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, [email protected];[email protected]]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, [email protected];[email protected]]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5

[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, [email protected];[email protected]]
logpath = /var/log/zimbra.log
#findtime = 604800
bantime = 172800
maxretry = 5

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, [email protected];[email protected]]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5

#[sasl]
#enabled = true
#port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
#filter = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
#logpath = /var/log/zimbra.log
To edit sendmail.conf file use for zimbra
vim /etc/fail2ban/action.d/sendmail.conf
The content as bellow
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
into
Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>
To restart fail2ban service
service fail2ban restart
The log error not installed fail2ban
2017-07-13 10:36:30,776 INFO  [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [[email protected]], invalid password
2017-07-13 10:36:30,777 INFO  [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=15
2017-07-13 10:36:53,229 INFO  [qtp509886383-103:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [[email protected]], invalid password
2017-07-13 10:36:53,231 INFO  [qtp509886383-103:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=3
2017-07-13 10:37:04,468 INFO  [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [[email protected]], invalid password
2017-07-13 10:37:04,468 INFO  [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=2
2017-07-13 10:37:13,388 INFO  [qtp509886383-111:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [[email protected]], invalid password
The log error with zimbra mail server fail2ban
# fail2ban-client status
Status
|- Number of jail:    4
`- Jail list:    postfix, zimbra-account, zimbra-audit, zimbra-recipient

zimbra mail server security fail2ban

post new :

Huu Phan | Blog Linux operating system | Huu Phan ~ Zimbra Mail Server,linux,bash script,centos,linux command | www.huuphan.com