February 20

Fail2Ban and Zimbra

After following several guides i faced an issue with the mail reporting.

Since sendmail provided by zimbra doesn’t work with the same parameters like the default sendmail i modified the mail function of Fail2Ban.

– I have enabled only notifications for Webmail/Webadmin login attemps

For Red Hat /CentOS you will need EPEL Repo

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm 

Change the logging facility, from syslog to a file


logtarget = /var/log/fail2ban.log

 

 

I have disabled SSH checks as I run also CSF

 

/etc/fail2ban/jail.conf


# Fail2Ban jail base specification file
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwitten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 3600
#
# [ssh-iptables]
# enabled = true
# Comments: use '#' for comment lines and ';' (following a space) for inline comments

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 100

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn

# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5

[proftpd-iptables]

enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6

# This jail forces the backend to "polling".
[sasl-iptables]

enabled = false
filter = postfix-sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you@example.com]
logpath = /var/log/mail.log

[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail-whois[name=zimbra-account, dest=user@mail.com]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
findtime = 100

[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail-whois[name=Zimbra-audit, dest=user@mail.com]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
findtime = 100

[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
# sendmail[name=Zimbra-recipient, dest=user@mail.com]
logpath = /var/log/maillog
#findtime = 604800
#bantime = 172800
bantime = 600
maxretry = 5
findtime = 100

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
# sendmail-buffered[name=Postfix, dest=root]
logpath = /var/log/maillog
bantime = 600
maxretry = 5
findtime = 100

[sasl-iptables]
enabled = true
filter = sasl
action = iptables-allports[name=sasl]
sendmail[name=SASL, dest=root]
#logpath = /var/log/maillog
bantime = 600
maxretry = 5
findtime = 100

Create a file /etc/fail2ban/filter.d/zimbra


[Definition]

failregex = \[ip=;\] account - authentication failed for .* \(no such account\)$
\[ip=;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
\[ip=;\] security - cmd=AdminAuth; .* error=authentication failed for .*, invalid password;$
;oip=;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*ip=;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
INFO .*ip=;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$
# NOQUEUE: reject: RCPT from .*\[\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

 

Add also the file /etc/fail2ban/filder.d/sasl.conf


# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/smtpd

failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
ignoreregex=
# Author: Yaroslav Halchenko

 

 

Finally edit the  /etc/fail2ban/action.d/sendmail-whois.conf and replace the part actionban with


actionban = (echo "Subject:[Fail2Ban Alert]"; echo "The IP  has just been banned  after   attempts against   , `whois ` ") | /opt/zimbra/postfix/sbin/sendmail user@example.com

Tags: , ,

Copyright © 1998. All rights reserved.

Posted February 20, 2014 by RaNd in category "/etc/config

Select comment form

Loading Facebook Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *

2 + twenty =