zimbra mail server security fail2ban

-
zimbra mail server security with fail2ban. How to configure fail2ban for prevent "brute force attack" zimbra 8.6 on centos. How to improve zimbra mail server security with fail2ban . I'm running commands as root account.
Links to below you maybe likes:
zimbra mail server security fail2ban





To install fail2ban
yum install fail2ban nano
To backup file
cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports.conf.backup
cp /etc/fail2ban/filter.d/zimbra.conf /etc/fail2ban/filter.d/zimbra.conf.backup
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup
To create zimbra.conf file
cat /etc/fail2ban/filter.d/zimbra.conf
The content as below
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
                        \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                        \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
                        WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
                        NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

To create the rules for Zimbra jail.conf  file
nano /etc/fail2ban/jail.conf file
The content as bellow
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
## The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
#ignoreip = 127.0.0.1/8 ip_public/32
ignoreip = 127.0.0.1/8 172.16.235.150/32
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto

# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=huupv@mail.huuphan.local;huupv2@mail.huuphan.local]
logpath = /var/log/messages
maxretry = 5

# This jail forces the backend to "polling".

[sasl-iptables]

enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=huupv@mail.huuphan.local;huupv2@mail.huuphan.local]
logpath = /var/log/zimbra.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=huupv@mail.huuphan.local;huupv2@mail.huuphan.local]
ignoreregex = for myuser from
logpath = /var/log/messages

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, dest=huupv@mail.huuphan.local;huupv2@mail.huuphan.local]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=huupv@mail.huuphan.local;huupv2@mail.huuphan.local]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5

[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=huupv@mail.huuphan.local;huupv2@mail.huuphan.local]
logpath = /var/log/zimbra.log
#findtime = 604800
bantime = 172800
maxretry = 5

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=huupv@mail.huuphan.local;huupv2@mail.huuphan.local]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5

#[sasl]
#enabled = true
#port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
#filter = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
#logpath = /var/log/zimbra.log
To edit sendmail.conf file use for zimbra
vim /etc/fail2ban/action.d/sendmail.conf
The content as bellow
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
into
Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>
To restart fail2ban service
service fail2ban restart
The log error not installed fail2ban
2017-07-13 10:36:30,776 INFO  [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [name=huupv1@mail.huuphan.local;oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [huupv1@mail.huuphan.local], invalid password
2017-07-13 10:36:30,777 INFO  [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [name=huupv1@mail.huuphan.local;oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=15
2017-07-13 10:36:53,229 INFO  [qtp509886383-103:http://127.0.0.1:8080/service/soap/AuthRequest] [name=huupv1@mail.huuphan.local;oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [huupv1@mail.huuphan.local], invalid password
2017-07-13 10:36:53,231 INFO  [qtp509886383-103:http://127.0.0.1:8080/service/soap/AuthRequest] [name=huupv1@mail.huuphan.local;oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=3
2017-07-13 10:37:04,468 INFO  [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [name=huupv1@mail.huuphan.local;oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [huupv1@mail.huuphan.local], invalid password
2017-07-13 10:37:04,468 INFO  [qtp509886383-101:http://127.0.0.1:8080/service/soap/AuthRequest] [name=huupv1@mail.huuphan.local;oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] soap - AuthRequest elapsed=2
2017-07-13 10:37:13,388 INFO  [qtp509886383-111:http://127.0.0.1:8080/service/soap/AuthRequest] [name=huupv1@mail.huuphan.local;oip=172.16.235.1;ua=zclient/8.6.0_GA_1153;] SoapEngine - handler exception: authentication failed for [huupv1@mail.huuphan.local], invalid password
The log error with zimbra mail server fail2ban
# fail2ban-client status
Status
|- Number of jail:    4
`- Jail list:    postfix, zimbra-account, zimbra-audit, zimbra-recipient

zimbra mail server security fail2ban

Comments

Post a Comment

Popular posts from this blog

zimbra some services are not running [Solve problem]

-
Introduction How to solved zimbra some services are not running. That after, to installed zimbra mail server. The display a some admin console status red in environment multiple server ( zimbra ldap, zimbra mailbox, zimbra mta etc.). Link to below you maybe likes: How to install and configure zimbra multi server.   How to restrict to user sending mail on zimbra 8.6. How to Restrict Sending to Distribution list in zimbra mail. How to change last login time for all accounts in zimbra ldap. How to zimbra reject authenticated sender login mismatch. Error zimbra some services are not running as bellow Step by step guide the solve problem zimbra some services are not running To restart and enable cron service the permanently. service crond restart chkconfig crond on Opening rsyslog.conf file and uncomment the following. vim /etc/rsyslog.conf Uncomment these two lines $modload imupd $UDPServerRun514   To restart and enable rsyslog service the permanently. servic...
Read more

Bash script list all IP addresses connected to Server with Country Information

-
Introduction This script is designed to list all IP addresses connected to your server, retrieve geographical information for each IP using ipinfo.io , and display the results in a clean format. This guide will walk you through the script, explaining each part in detail, and ensuring you understand how to implement and use it effectively. What is Bash? Bash (Bourne Again Shell) is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. It has since become the default login shell for most Linux distributions. Bash can execute commands, read and execute commands from a file, and provide constructs for condition testing, looping, and functions. Prerequisites A Linux -based server with administrative privileges. Internet connection for accessing ipinfo.io . Basic knowledge of Bash scripting. List all IP addresses connected to Server us Bash Script Running to bash script list all IP addresses connected to Server ./stu...
Read more

Zimbra Client host rejected Access denied fixed

-
Introduction While using Zimbra , you might encounter the "Client host rejected: Access denied" error, which can disrupt your workflow. This is a common issue that can be resolved easily if you understand the causes and the solutions. This article provides a detailed guide on how to fix this error on Zimbra, helping you quickly resume your work smoothly. Zimbra client host rejected Access denied error log Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: NOQUEUE: reject: CONNECT from unknown[192.168.1.113]: 554 5.7.1 <unknown[192.168.1.113]>: Client host rejected: Access denied; proto=SMTP Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: lost connection after CONNECT from unknown[192.168.1.113] Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: disconnect from unknown[192.168.1.113] Allow the network " 192.168.1.0/24 " of client host for zimbraMtaMyNetworks attribute [zimbra@mail ~]$ zmprov ms `zmhostname` zimbraMtaMyNetworks "127.0.0.0/8 192.1...
Read more