Fail2Ban and Zimbra
After following several guides i faced an issue with the mail reporting.
Since sendmail provided by zimbra doesn’t work with the same parameters like the default sendmail i modified the mail function of Fail2Ban.
– I have enabled only notifications for Webmail/Webadmin login attemps
For Red Hat /CentOS you will need EPEL Repo
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Change the logging facility, from syslog to a file
logtarget = /var/log/fail2ban.log
I have disabled SSH checks as I run also CSF
/etc/fail2ban/jail.conf
# Fail2Ban jail base specification file
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwitten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 3600
#
# [ssh-iptables]
# enabled = true
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 100
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, [email protected], sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5
[proftpd-iptables]
enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, [email protected]]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = false
filter = postfix-sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected]]
logpath = /var/log/mail.log
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail-whois[name=zimbra-account, [email protected]]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
findtime = 100
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail-whois[name=Zimbra-audit, [email protected]]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
findtime = 100
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
# sendmail[name=Zimbra-recipient, [email protected]]
logpath = /var/log/maillog
#findtime = 604800
#bantime = 172800
bantime = 600
maxretry = 5
findtime = 100
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
# sendmail-buffered[name=Postfix, dest=root]
logpath = /var/log/maillog
bantime = 600
maxretry = 5
findtime = 100
[sasl-iptables]
enabled = true
filter = sasl
action = iptables-allports[name=sasl]
sendmail[name=SASL, dest=root]
#logpath = /var/log/maillog
bantime = 600
maxretry = 5
findtime = 100
Create a file /etc/fail2ban/filter.d/zimbra
[Definition]
failregex = \[ip=;\] account - authentication failed for .* \(no such account\)$
\[ip=;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
\[ip=;\] security - cmd=AdminAuth; .* error=authentication failed for .*, invalid password;$
;oip=;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*ip=;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
INFO .*ip=;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$
# NOQUEUE: reject: RCPT from .*\[\]: 550 5.1.1 .*: Recipient address rejected:
# .*\[ip=;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Add also the file /etc/fail2ban/filder.d/sasl.conf
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
ignoreregex=
# Author: Yaroslav Halchenko
Finally edit the /etc/fail2ban/action.d/sendmail-whois.conf and replace the part actionban with
actionban = (echo "Subject:[Fail2Ban Alert]"; echo "The IP has just been banned after attempts against , `whois ` ") | /opt/zimbra/postfix/sbin/sendmail [email protected]
Select comment form