zimbra mail server security fail2ban

-
zimbra mail server security with fail2ban. How to configure fail2ban for prevent "brute force attack" zimbra 8.6 on centos. How to improve zimbra mail server security with fail2ban . I'm running commands as root account.
Links to below you maybe likes:
zimbra mail server security fail2ban





To install fail2ban
yum install fail2ban nano
To backup file
cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports.conf.backup
cp /etc/fail2ban/filter.d/zimbra.conf /etc/fail2ban/filter.d/zimbra.conf.backup
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup
To create zimbra.conf file
cat /etc/fail2ban/filter.d/zimbra.conf
The content as below
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
                        \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                        \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
                        WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
                        NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

To create the rules for Zimbra jail.conf  file
nano /etc/fail2ban/jail.conf file
The content as bellow
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
## The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
#ignoreip = 127.0.0.1/8 ip_public/32
ignoreip = 127.0.0.1/8 172.16.235.150/32
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto

# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected];[email protected]]
logpath = /var/log/messages
maxretry = 5

# This jail forces the backend to "polling".

[sasl-iptables]

enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected];[email protected]]
logpath = /var/log/zimbra.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, [email protected];[email protected]]
ignoreregex = for myuser from
logpath = /var/log/messages

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, [email protected];[email protected]]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, [email protected];[email protected]]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5

[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, [email protected];[email protected]]
logpath = /var/log/zimbra.log
#findtime = 604800
bantime = 172800
maxretry = 5

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, [email protected];[email protected]]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5

#[sasl]
#enabled = true
#port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
#filter = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
#logpath = /var/log/zimbra.log
To edit sendmail.conf file use for zimbra
vim /etc/fail2ban/action.d/sendmail.conf
The content as bellow
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
into
Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>
To restart fail2ban service
service fail2ban restart
The log error not installed fail2ban
2017-07-13 10:36:30,776 INFO  [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [[email protected]], invalid password
2017-07-13 10:36:30,777 INFO  [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=15
2017-07-13 10:36:53,229 INFO  [qtp509886383-103:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [[email protected]], invalid password
2017-07-13 10:36:53,231 INFO  [qtp509886383-103:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=3
2017-07-13 10:37:04,468 INFO  [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [[email protected]], invalid password
2017-07-13 10:37:04,468 INFO  [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=2
2017-07-13 10:37:13,388 INFO  [qtp509886383-111:http://127.0.0.1:8080/service/soap/AuthRequest] [[email protected];oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [[email protected]], invalid password
The log error with zimbra mail server fail2ban
# fail2ban-client status
Status
|- Number of jail:    4
`- Jail list:    postfix, zimbra-account, zimbra-audit, zimbra-recipient

zimbra mail server security fail2ban

Comments

Post a Comment

Popular posts from this blog

zimbra some services are not running [Solve problem]

-
Image
How to solved zimbra some services are not running. That after, to installed zimbra mail server. The display a some admin console status red in environment multiple server ( zimbra ldap, zimbra mailbox, zimbra mta etc.). Link to below you maybe likes: How to install and configure zimbra multi server.   How to restrict to user sending mail on zimbra 8.6. How to Restrict Sending to Distribution list in zimbra mail. How to change last login time for all accounts in zimbra ldap. How to zimbra reject authenticated sender login mismatch. Error zimbra some services are not running as bellow Step by step guide the solve problem zimbra some services are not running the following: To restart and enable cron service the permanently. service crond restart chkconfig crond on Opening rsyslog.conf file and uncomment the following. vim /etc/rsyslog.conf Uncomment these two lines $modload imupd $UDPServerRun514   To restart and enable rsyslog service the permanently. servic
Read more

How to install and configure zimbra multi server

-
Image
In small system, to install zimbra All-in-one in single server mail .In medium and large system zimbra mail server, to install and configure multi server (the more ldap, mta , mailbox install in server separate). in this my post, the tutorial install and configure zimbra multi server and   use demo zimbra 8.6  Let's go! My Lab: Zimbra ldap Hostname: ldap.huuphan.local ip address: 192.168.131.11 Zimbra MTA Hostname: mta.huuphan.local ip address: 192.168.131.12 Zimbra Mailbox Hostname: mailbox.huuphan.local ip address: 192.168.131.13 Zimbra Proxy Hostname: proxy.huuphan.local ip address: 192.168.131.14 The requirement zimbra mail server *The DNS  mx records point to zimbra mail server to recive mail from internet. A records to resolve hostnames. *Firewall allow to ports of zimbra or disable firewall the example use to iptable. *Note: In this my post, using dns bind the external server for zimbra mail server.  How To Install the BIND DNS Ser
Read more

Bash script list all IP addresses connected to Server

-
Image
Running to bash script list all IP addresses connected to Server ./studyscript.sh  >/dev/null 2>&1 The bash script list all IP addresses connected to Server #!/bin/bash rm -f /tmp/list_IP rm -f /tmp/list_IPP rm -f /tmp/list_IPdone netstat -ntu | grep ESTA | awk -F: '{ print $2 }' | sed -r 's/^.{12}//' |sed 's/:/\n/g' | sed '/^\s*$/d'| sort > /tmp/list_IP #sleep 10 while read -r p do  curl ipinfo.io/$p done < /tmp/list_IP >/tmp/list_IPP cat /tmp/list_IPP | egrep "ip|country" |sed '$!N;s/\n/ /' |sed -r 's/^.{9}//' |sed 's/"country": "//' |sed 's/",//g' >> /tmp/list_IPdone echo "-----IP------  --country--" >> /tmp/list_IPdone Note the bash script list all IP addresses connected to Server sed 's/:/\n/g' Delete duplicate lines sed '/^\s*$/d' Delete empty lines sed '$!N;s/\n/ /' How to merge every two lines in
Read more