Tips : Improving Zimbra Mail Server Security with Fail2Ban

October 21, 2011

Fail2ban_logoZimbra mail server has it’s own anti spam based on SpamAssasin and anti virus addon based on ClamAV to block incoming and outgoing malicious. The default addon has a pretty good performance when configured properly, but if you want to increase the security of Zimbra mail server, fail2ban is an additional plugin to be considered.

What is Fail2Ban

Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally (for example, iptables or TCP Wrapper).

Fail2ban operates by monitoring log files (e.g. /var/log/pwdfail, /var/log/auth.log, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It can ban any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.

Here is a guide to improve the security of Zimbra mail server by using Fail2Ban :

  1. Install Fail2Ban and IPtables. If you are using Minimal Server Appliance, both Fail2ban and IPtables has been successfully installed on the appliance. To install it manually, run the following command with root permission : 
    zypper ar http://download.opensuse.org/repositories/security/SLE_11/ fail2ban
zypper in fail2ban
  2. Create a new file /etc/fail2ban/filter.d/zimbra.conf. This file contains regular expression to parsing Zimbra log which will trigger the banned process if it happens several times in a specified time interval. Contents of/etc/fail2ban/filter.d/zimbra.conf : 
    # Fail2Ban configuration file
#
# Author: 
#
# $Revision: 1 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
                        \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                        \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
                        WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
                        NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
# 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
  3. Create/edit /etc/fail2ban/jail.conf with the following contents : 
    # Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
## The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 202.43.115.188/32
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto

# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=zeze@vavai.com, sender=fail2ban@excellent.co.id]
logpath = /var/log/messages
maxretry = 5

# This jail forces the backend to "polling".

[sasl-iptables]

enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=support@excellent.co.id]
logpath = /var/log/zimbra.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=support@excellent.co.id]
ignoreregex = for myuser from
logpath = /var/log/messages

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, dest=support@excellent.co.id]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=support@excellent.co.id]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5

[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=support@excellent.co.id]
logpath = /var/log/zimbra.log
#findtime = 604800
bantime = 172800
maxretry = 5

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=support@excellent.co.id]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5

#[sasl]
#enabled = true
#port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
#filter = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
#logpath = /var/log/zimbra.log

    jail.conf contains data log path to be check and email address for banned notification. Do not forget to fill in the parameters ignoreip to prevent Fail2Ban banned internal network

  4. Edit file /etc/fail2ban/action.d/sendmail.conf and change the line : 
    Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

    into

    Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>
  5. Restart Fail2Ban services 
    service fail2ban restart

Fail2Ban will sent a notification email to specified email address if found intrusion that match with Fail2Ban rule. IP will be instantly banned if it has qualified many times and match with Fail2Ban rules in a predefined time interval. We can also modify jail.conf  or create another regular expression to check other logs.

Below are screenshot of notification email from Fail2Ban:

Fail2Ban is quite powerful and can be used to anticipate the kind of brute-force attack, both on email and other server services such as web servers, FTP servers, database servers and others.


Share

Linux

Masim "Vavai" Sugianto
Traveller, Open Source Enthusiast & Book Lover. Works as Independent Worker & Self-Employer.

14 Comments


Mal Hira
May 28, 2015 at 17:53
Reply

Hi!

One more regexp for zimbra.conf in case of external LDAP auth

;oip=;.* SoapEngine – handler exception: authentication failed for .*, external LDAP auth failed, LDAP error: – unable to ldap authenticate: invalid credentials$


    Mal Hira
    May 28, 2015 at 17:57
    Reply

    and

    ;oip=;.* security – cmd=Auth; .* protocol=soap; error=authentication failed for .*, external LDAP auth failed, LDAP error: – unable to ldap authenticate: invalid credentials$

    (4 audit)

Mal Hira
May 28, 2015 at 18:14
Reply

error

;oip=;.* security – cmd=Auth; .* protocol=soap; error=authentication failed for .*, external LDAP auth failed, LDAP error: – unable to ldap authenticate: invalid credentials;$


Zimbra Improvement : Restricted Sender/Sender Must Login on Zimbra 8 | Spirit Of Change
December 6, 2015 at 19:21
Reply

[…] As a powerful mail server, Zimbra has some system security features applied by default. We can also applying some additional security policy to increase mail server protection, such as applying PolicyD and Fail2Ban […]


scott
January 18, 2016 at 20:46
Reply

This is wrong, if you use this with 8.6+ you will end up banning your own server and not be able to connect to LDAP. oip is the section of the log you want to ban


Jon
February 4, 2016 at 21:59
Reply

I’m must be doing something incorrectly. I’ve copied all the files exactly as they are shown and am still getting errors for zimbra-account.

ERROR Error in action definition iptables-allports[name=zimbra-account]
ERROR Errors in jail ‘zimbra-account’. Skipping…

Any help would be greatly appreciated.

Thank you


    Jon
    February 4, 2016 at 22:02
    Reply

    This is on Ubuntu 14.04.3 Server running Zimbra 8.6 Open

      Juan
      April 16, 2016 at 15:50

      Hi Jon,

      Can you check that /etc/fail2ban/action.d/iptables-allports.conf is the default file provided when you installed fail2ban ?

      Best Regards

      manose
      January 10, 2017 at 09:51

      Hi Jon,
      Did u get the issue resolved? if so can you please post it here.
      thanks and regards

    Brad
    June 8, 2018 at 23:30
    Reply

    Did you ever get this figured out Jon? I’m having the same issue on centos

Jon Morby
November 22, 2016 at 13:15
Reply

The basic premise is correct, but never put your rules in jail.conf

You should always use jail.local to avoid your rules being overwritten by updates

jail.local overrides every setting in jail.conf


Dorojatun
June 7, 2017 at 16:52
Reply

To ban ip address of the spammer, I use following regex: ^.*\[(?:::f{4,6}:)?(?P\S+)\], sasl.*sasl_username=(?P\S+)$.
I set to 10 times send/login in 5 minutes will ban ip address for 24 hours.
Thanks to Hochreiter Martin for the regex.
https://sourceforge.net/p/fail2ban/mailman/fail2ban-users/


Dorojatun
June 7, 2017 at 16:56
Reply

To ban ip address of the spammer, I use following regex: ^.*\[(?:::f{4,6}:)?(?P\S+)\], sasl.*sasl_username=(?P\S+)$.
I set to 10 times send/login in 5 minutes will ban ip address for 24 hours.
And exclution/ignore ip is set too.
Thanks to Hochreiter Martin for the regex.
https://sourceforge.net/p/fail2ban/mailman/fail2ban-users/


Dzung
August 29, 2017 at 13:03
Reply

I have same error
ERROR Error in action definition iptables-allports[name=zimbra-account]
ERROR Errors in jail ‘zimbra-account’. Skipping…
zimbra 8.7 any one help me


Khofidin Ofid
September 30, 2017 at 12:37
Reply

This is not working on 8.6, because the IP address that would be banned is the IP address of mail server server itself:

2017-09-30 12:29:48,375 WARN [qtp509886383-4401:https://10.10.10.2:7071/service/admin/soap/%5D [name=account@domain.co.id;ip=10.10.10.2;] security – cmd=Auth; account=account@domain.co.id; protocol=soap; error=authentication failed for [account@domain.co.id], invalid password;

Could someone give me alight?


Zimbra Improvement : Restricted Sender/Sender Must Login on Zimbra 8 – Vavai's Personal Notes
March 13, 2019 at 08:48
Reply

[…] As a powerful mail server, Zimbra has some system security features applied by default. We can also applying some additional security policy to increase mail server protection, such as applying PolicyD and Fail2Ban […]


Leave a Reply

Your email address will not be published. Required fields are marked *