How to Install and Configure Fail2Ban for Zimbra

Posted by

This article was inspired by an article by L. Mark Stone at this link: Zimbra-fail2ban-for-submission-only. I tried the guide and it worked. I added several configurations to my Fail2Ban to block connections on the Zimbra webmail, SMTP and admin ports if failed login for several times. Then, I use iptables on my Fail2Ban.

Below is how to install and configure Fail2Ban for Zimbra. In this guidance, I use CentOS. Please adjust python-pip version if use another OS

1. Install pip

yum install python3-pip

2. Install dependencies required by Fail2Ban

pip3 install pyinotify
pip3 install dnspython

3. Download and extract Fail2Ban

cd /tmp/
wget -c https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz

4. Install Fail2Ban

tar -xvf 0.9.4.tar.gz
cd fail2ban-0.9.4
python3 setup.py install

5. Copy Fail2Ban service to systemd

cp files/fail2ban.service /usr/lib/systemd/system/

6. Adjust bin location on Fail2Ban service

vi /usr/lib/systemd/system/fail2ban.service

Adjust the following lines. Change /usr/bin become /usr/local/bin

ExecStart=/usr/local/bin/fail2ban-client -x start
ExecStop=/usr/local/bin/fail2ban-client stop
ExecReload=/usr/local/bin/fail2ban-client reload

Create fail2ban folder

mkdir /var/run/fail2ban
vi /usr/lib/tmpfiles.d/var.conf

Add this line at the bottom

d /var/run/fail2ban 0755 - - -

Reload systemd

systemctl daemon-reload

7. Create zimbra.jail

vi /etc/fail2ban/jail.d/zimbra.local

Fill with the following lines and save

[zimbra-submission]
enabled = true
filter = zimbra-submission
logpath = /var/log/zimbra.log
maxretry = 3
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-submission, port="25,465,587", protocol=tcp]

[zimbra-webmail]
enabled = true
filter = zimbra-webmail
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-webmail, port="80,443", protocol=tcp]

[zimbra-admin]
enabled = true
filter = zimbra-admin
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-admin, port="7071", protocol=tcp]

8. Create filters
– Zimbra Admin

curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-admin.conf > /etc/fail2ban/filter.d/zimbra-admin.conf

– Zimbra Webmail

curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-webmail.conf > /etc/fail2ban/filter.d/zimbra-webmail.conf

– Zimbra SMTP/SMTPS/Submission

curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-submission.conf > /etc/fail2ban/filter.d/zimbra-submission.conf

9. Ignore localhost and Zimbra IP

Open file /etc/fail2ban/jail.conf. Find line “ignoreip =” and add the IP address that will be ignored from Fail2Ban checking. You can use comma or space to add multiple IP

ignoreip = 127.0.0.1/8 IP-ADDRESS-OF-ZIMBRA/32 OTHER-IP-ADDRESS/32

10. Enable and restart Fail2Ban

systemctl enable fail2ban
systemctl restart fail2ban

Additional Configuration :

– Block type that uses by Fail2Ban is “REJECT –reject-with icmp-port-unreachable”. If you want to use DROP, open file /etc/fail2ban/action.d/iptables-common.conf and change it to blocktype = DROP

11. Test regex

You can test regex with run this command

fail2ban-regex /opt/zimbra/log/mailbox.log /etc/fail2ban/filter.d/zimbra-webmail.conf

Now my Zimbra already use Fail2Ban. If you want to see ip address that blocked by Fail2Ban, run fail2ban-client command

fail2ban-client status

If you want to see zimbra-webmail jail, run command

fail2ban-client status zimbra-webmail
[root@mail ~]# fail2ban-client status zimbra-webmail
Status for the jail: zimbra-webmail
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	11
|  `- File list:	/opt/zimbra/log/mailbox.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	123.xx.xx.xx

Good luck šŸ™‚

18 comments

  1. Hi;

    I installed Faail2ban and it worked.
    does not work after restarting the system
    I am getting this error;
    fail2ban.service – Fail2Ban Service
    Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor pre set: disabled)
    Active: failed (Result: start-limit) since Fri 2020-07-10 12:49:55 +03; 1h 30 min ago
    Docs: man: fail2ban (1)
    Process: 1817 ExecStart = / usr / local / bin / fail2ban-client -x start (code = exited, status = 255)

    1. Hi Hakan Gulnar,
      Thank you for your report. It seems the fail2ban folder does not exist on /var/run folder. Please run this command to solve your problem

      mkdir /var/run/fail2ban
      

      I am also update the guidance on number 6

  2. Hi iman,
    i got this error
    [root@mail fail2ban-0.9.4]# systemctl enable fail2ban
    Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service

    [root@mail fail2ban-0.9.4]# systemctl restart fail2ban
    Failed to restart fail2ban.service: Unit not found.

  3. Great work, thank you very much Iman!

    I had to add a third line in /etc/fail2ban/filter.d/zimbra-submission.conf

    failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[\]: SASL \w+ authentication failed: authentication failure$
    postfix\/smtps\/smtpd\[\d+\]: warning: .*\[\]: SASL \w+ authentication failed: authentication failure$
    postfix\/smtpd\[\d+\]: warning: .*\[\]: SASL \w+ authentication failed: authentication failure$

    in order to match port 25 only attempts (logged as “postfix/smtpd” on my zimbra.log)

    Again, awesome work!!

  4. Hello,
    Thank you for this great article.
    However, how do we apply this on a multiserver setup, especially in one where zimbra-proxy is being used (IMAP/admin/…)?
    Thank you,
    MK

  5. Hi,

    Fail2ban not start on my CentOS 7 server with following:

    fail2ban.service – Fail2Ban Service
    Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
    Active: failed (Result: start-limit) since Fri 2020-09-18 15:03:32 +06; 8min ago
    Docs: man:fail2ban(1)
    Process: 5133 ExecStart=/usr/local/bin/fail2ban-client -x start (code=exited, status=255)
    Main PID: 59229 (code=exited, status=0/SUCCESS)

    Please help to solve it.

    Thanks,
    Hamid

  6. Hi

    Here is my issue:

    fail2ban-client status zimbra-submission
    Status for the jail: zimbra-submission
    |- Filter
    | |- Currently failed: 475
    | |- Total failed: 697
    | `- File list: /var/log/zimbra.log
    `- Actions
    |- Currently banned: 0
    |- Total banned: 0
    `- Banned IP list:

    Please help

  7. Hai mas Ahmad,

    Saya gagal menjalankan perintah pada poin 11 pada bagian:
    # fail2ban-client status
    dan
    # fail2ban-client status zimbra-webmail

    terlihat error nya seperti ini:
    [root@mail ~]# fail2ban-client status
    -bash: fail2ban-client: command not found
    [root@mail ~]# fail2ban-client status zimbra-webmail
    -bash: fail2ban-client: command not found
    [root@mail ~]#

    Hanya di bagian ini saya gagal menjalankan,
    apakah ada solusi untuk ini.

    Terimakasih.

    1. Hi mas Pizay,
      File fail2ban-client bisa disalin ke folder /usr/local/sbin dari file Zip nya Fail2ban mas. Kemungkinan, file tersebut tidak tersalin ketika melakukan compile

  8. If someone has a problem that fail2ban works on the administration panel (port 7071), but on webmail (port 443) it does not work.
    This will most likely be caused by a proxy.
    The repair is very simple
    zmprov mcf +zimbraMailTrustedIP 192.168.1.2
    zmmailboxdctl restart

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.