Posted by This article was inspired by an article by L. Mark Stone at this link: Zimbra-fail2ban-for-submission-only. I tried the guide and it worked. I added several configurations to my Fail2Ban to block connections on the Zimbra webmail, SMTP and admin ports if failed login for several times. Then, I use iptables on my Fail2Ban.
Below is how to install and configure Fail2Ban for Zimbra. In this guidance, I use CentOS. Please adjust python-pip version if using another OS
1. Install pip
yum install python3-pip
2. Install dependencies required by Fail2Ban
pip3 install pyinotify pip3 install dnspython
3. Download and extract Fail2Ban
cd /tmp/ wget -c https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz
4. Install Fail2Ban
tar -xvf 0.9.4.tar.gz cd fail2ban-0.9.4 python3 setup.py install
5. Copy Fail2Ban service to systemd
cp files/fail2ban.service /usr/lib/systemd/system/
6. Adjust bin location on Fail2Ban service
vi /usr/lib/systemd/system/fail2ban.service
Adjust the following lines. Change /usr/bin become /usr/local/bin
ExecStart=/usr/local/bin/fail2ban-client -x start ExecStop=/usr/local/bin/fail2ban-client stop ExecReload=/usr/local/bin/fail2ban-client reload RuntimeDirectory=fail2ban
Create fail2ban folder
mkdir /var/run/fail2ban vi /usr/lib/tmpfiles.d/var.conf
Add this line at the bottom
d /var/run/fail2ban 0755 - - -
Reload systemd
systemctl daemon-reload
7. Create zimbra.jail
vi /etc/fail2ban/jail.d/zimbra.local
Fill with the following lines and save
[zimbra-submission] enabled = true filter = zimbra-submission logpath = /var/log/zimbra.log maxretry = 3 findtime = 3600 bantime = 36000 action = iptables-multiport[name=zimbra-submission, port="25,465,587", protocol=tcp] [zimbra-webmail] enabled = true filter = zimbra-webmail logpath = /opt/zimbra/log/mailbox.log maxretry = 3 findtime = 3600 bantime = 36000 action = iptables-multiport[name=zimbra-webmail, port="80,443", protocol=tcp] [zimbra-admin] enabled = true filter = zimbra-admin logpath = /opt/zimbra/log/mailbox.log maxretry = 3 findtime = 3600 bantime = 36000 action = iptables-multiport[name=zimbra-admin, port="7071", protocol=tcp]
8. Create filters
– Zimbra Admin
curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-admin.conf > /etc/fail2ban/filter.d/zimbra-admin.conf
– Zimbra Webmail
curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-webmail.conf > /etc/fail2ban/filter.d/zimbra-webmail.conf
– Zimbra SMTP/SMTPS/Submission
curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-submission.conf > /etc/fail2ban/filter.d/zimbra-submission.conf
9. Ignore localhost and Zimbra IP
Open file /etc/fail2ban/jail.conf. Find line “ignoreip =” and add the IP address that will be ignored from Fail2Ban checking. You can use comma or space to add multiple IP
ignoreip = 127.0.0.1/8 IP-ADDRESS-OF-ZIMBRA/32 OTHER-IP-ADDRESS/32
10. Enable and restart Fail2Ban
systemctl enable fail2ban systemctl restart fail2ban
Additional Configuration :
– Block type that uses by Fail2Ban is “REJECT –reject-with icmp-port-unreachable”. If you want to use DROP, open file /etc/fail2ban/action.d/iptables-common.conf and change it to blocktype = DROP
11. Logging the Originating IP
In a multi-server environment, or any environment running a proxy, the mailboxd server may only log the IP of the connecting proxy. X-Originating-IP support for nginx or other fronting proxy. In order to use this feature, you must define the Trusted IPs of your internal nginx proxies, so that the mailstores will instead capture the data on the originating IP from the HTTP traffic. By default, the zimbraMailTrustedIP is empty.
Run the following command to configure zimbraMailTrustedIP
zmprov mcf +zimbraMailTrustedIP {IP of nginx-1} +zimbraMailTrustedIP {IP of nginx-2}
Example
zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP 10.11.12.13
Check the configuration then restart the mailbox
zmprov gcf zimbraMailTrustedIP zmmailboxdctl restart
Source : Logging_the_Originating_IP
12. Test regex
You can test regex with run this command
fail2ban-regex /opt/zimbra/log/mailbox.log /etc/fail2ban/filter.d/zimbra-webmail.conf
Now my Zimbra already use Fail2Ban. If you want to see ip address that blocked by Fail2Ban, run fail2ban-client command
fail2ban-client status
If you want to see zimbra-webmail jail, run command
fail2ban-client status zimbra-webmail
[root@mail ~]# fail2ban-client status zimbra-webmail Status for the jail: zimbra-webmail |- Filter | |- Currently failed: 1 | |- Total failed: 11 | `- File list: /opt/zimbra/log/mailbox.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 123.xx.xx.xx
Good luck š
Hi;
I installed Faail2ban and it worked.
does not work after restarting the system
I am getting this error;
fail2ban.service – Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor pre set: disabled)
Active: failed (Result: start-limit) since Fri 2020-07-10 12:49:55 +03; 1h 30 min ago
Docs: man: fail2ban (1)
Process: 1817 ExecStart = / usr / local / bin / fail2ban-client -x start (code = exited, status = 255)
Hi Hakan Gulnar,
Thank you for your report. It seems the fail2ban folder does not exist on /var/run folder. Please run this command to solve your problem
I am also update the guidance on number 6
Hi iman,
i got this error
[root@mail fail2ban-0.9.4]# systemctl enable fail2ban
Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service
[root@mail fail2ban-0.9.4]# systemctl restart fail2ban
Failed to restart fail2ban.service: Unit not found.
Hi AuxilianRaja,
Please make sure you already configure from no 5 and 6.
Thanks iman..now its working
Great work, thank you very much Iman!
I had to add a third line in /etc/fail2ban/filter.d/zimbra-submission.conf
failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[\]: SASL \w+ authentication failed: authentication failure$
postfix\/smtps\/smtpd\[\d+\]: warning: .*\[\]: SASL \w+ authentication failed: authentication failure$
postfix\/smtpd\[\d+\]: warning: .*\[\]: SASL \w+ authentication failed: authentication failure$
in order to match port 25 only attempts (logged as “postfix/smtpd” on my zimbra.log)
Again, awesome work!!
Hi Ale,
Glad to help and thank you for the additional line to block port 25.
Hello,
Thank you for this great article.
However, how do we apply this on a multiserver setup, especially in one where zimbra-proxy is being used (IMAP/admin/…)?
Thank you,
MK
Hi zm-admin,
Maybe you can create NFS (/opt/zimbra/log) on all Mailboxes server and mounting on Zimbra Proxy. Then, create multiple jails
You are the best ma friend!! thx so much
Hi,
Fail2ban not start on my CentOS 7 server with following:
fail2ban.service – Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Fri 2020-09-18 15:03:32 +06; 8min ago
Docs: man:fail2ban(1)
Process: 5133 ExecStart=/usr/local/bin/fail2ban-client -x start (code=exited, status=255)
Main PID: 59229 (code=exited, status=0/SUCCESS)
Please help to solve it.
Thanks,
Hamid
Hi Hamid,
You can reconfigure no 5 and 6
Hi
Here is my issue:
fail2ban-client status zimbra-submission
Status for the jail: zimbra-submission
|- Filter
| |- Currently failed: 475
| |- Total failed: 697
| `- File list: /var/log/zimbra.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Please help
Hai mas Ahmad,
Saya gagal menjalankan perintah pada poin 11 pada bagian:
# fail2ban-client status
dan
# fail2ban-client status zimbra-webmail
terlihat error nya seperti ini:
[root@mail ~]# fail2ban-client status
-bash: fail2ban-client: command not found
[root@mail ~]# fail2ban-client status zimbra-webmail
-bash: fail2ban-client: command not found
[root@mail ~]#
Hanya di bagian ini saya gagal menjalankan,
apakah ada solusi untuk ini.
Terimakasih.
Hi mas Pizay,
File fail2ban-client bisa disalin ke folder /usr/local/sbin dari file Zip nya Fail2ban mas. Kemungkinan, file tersebut tidak tersalin ketika melakukan compile
If someone has a problem that fail2ban works on the administration panel (port 7071), but on webmail (port 443) it does not work.
This will most likely be caused by a proxy.
The repair is very simple
zmprov mcf +zimbraMailTrustedIP 192.168.1.2
zmmailboxdctl restart
Hi Marcin,
Thank you for the solution
Good job Iman
I was looking for a tunning for my fail2ban filter.
Thanks
maaf mas iman, mau tanya kalau mau delete ip yang ternyata false alarm, alias user sendiri yang input salah berkali. akhirnya kena banned. gmn cara unbannednya?
Hi mas Dede,
Bisa dimasukkan kedalam list ignore mas. Kemudian restart services nya
could you expand and show us how to use /opt/zimbra/common/sbin/sendmail to send the notifications to admin that IP etc is getting banned?
THanks!
Hi Sanga Collins,
You can make symlink Sendmail from Zimbra to /usr/sbin/sendmail
latest fail2ban version is 11.2. will this guide work on latest version too?
Hi Robin,
In my opinion, The latest Fail2ban will work š
hi mas iman ,
mohon informasinya , kalo sebelumnya pernah setup fail2ban , menggunakan link ini :
https://www.excellent.co.id/product-services/zimbra/implementasi-fail2ban-untuk-meningkatkan-performa-keamanan-zimbra-mail-server-2/
kemudian mau di ubah spt konfigurasinya mas Iman di atas , caranya bagaimana yah mas ?
Terimakasih
Hi mas,
Bisa disesuaikan isian jail dan filter log nya mas
mas iman, kalo isian jail.conf nya bisa lsg copy paste dari punya mas iman yang : vi /etc/fail2ban/jail.d/zimbra.local ?
kalo filter log nya itu yg mana yah mas ? apakah yg di bawah ini ? apakah command ini bisa saya jalankan juga di server sy mas ?
curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-admin.conf > /etc/fail2ban/filter.d/zimbra-admin.conf
curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-webmail.conf > /etc/fail2ban/filter.d/zimbra-webmail.conf
curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-submission.conf > /etc/fail2ban/filter.d/zimbra-submission.conf
jadi hanya 2 step diatas yg sy harus jalankan mas ? mohon koreksi kalo saya salah .
Terimakasih
Hi mas,
Bisa disesuaikan dengan konfigurasi yang sudah ada. Atau dibuat baru lagi juga bisa
Can fail2ban block ActiveSync repeated login IP
Hi,
You can add regex for getting ActiveSync activity log
I m having an IMAP attack that fail2ban cant stop
Hi,
You can adjust the filter for IMAP attack
How can i remove Ip from Blacklist
Hi Edrin,
You can use unbanip command “fail2ban-client set jail_name unbanip xxx.xxx.xxx.xxx”
Hi Iman
First of all, thank you for this beautiful and beautiful sharing.
fail2ban is trying to block my server ip address for webmail
How can I provide blocking for the attacking source ip address for webmail?
Hi Kemal,
Please make sure you already apply step on no 11. Logging the Originating IP
Status for the jail: zimbra-smtp
|- Filter
| |- Currently failed: 303
| |- Total failed: 1101
| `- File list: /var/log/zimbra.log
`- Actions
|- Currently banned: 278
|- Total banned: 278
Status for the jail: zimbra-web
|- Filter
| |- Currently failed: 262
| |- Total failed: 708
| `- File list: /opt/zimbra/log/mailbox.log
`- Actions
|- Currently banned: 34
|- Total banned: 34
sudah berhasil, namun sepertinya attacker trus melakukan percobaan, dan mungkin menggunakan proxy sehingga tidak berhenti henti, dengan hal ini menyebabkan 2 user email selalu ke lockout dan tidak bisa login.
ada saran kah untuk menanggulangi hal ini terima kasih.
Hi mas,
Bisa coba batasi aksesnya hanya dari IP Indonesia saja. Panduannya ada di blog ini. Bisa disearch “Geoip”
Klo pakai ubuntu gimana mas? Di ubuntu untuk firewallnya kan pake ufw, gk pake iptables
Tetap bisa. Iptables ada di Ubuntu meskipun sudah ada UFW
Hi,
Thanks for great tutorial. What if I install fail2ban with yum install fail2ban, and then configured as you described from steps 7 onwards?