Home
Tips : Improving Zimbra Mail Server Security with Fail2Ban

Tips : Improving Zimbra Mail Server Security with Fail2Ban

October 21, 2011 Server, SUSE Family, Zimbra 14 Comments

Fail2ban_logoZimbra mail server has it’s own anti spam based on SpamAssasin and anti virus addon based on ClamAV to block incoming and outgoing malicious. The default addon has a pretty good performance when configured properly, but if you want to increase the security of Zimbra mail server, fail2ban is an additional plugin to be considered.

What is Fail2Ban

Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally (for example, iptables or TCP Wrapper).

Fail2ban operates by monitoring log files (e.g. /var/log/pwdfail, /var/log/auth.log, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It can ban any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.

Here is a guide to improve the security of Zimbra mail server by using Fail2Ban :

  1. Install Fail2Ban and IPtables. If you are using Minimal Server Appliance, both Fail2ban and IPtables has been successfully installed on the appliance. To install it manually, run the following command with root permission : 
    zypper ar http://download.opensuse.org/repositories/security/SLE_11/ fail2ban
zypper in fail2ban
  2. Create a new file /etc/fail2ban/filter.d/zimbra.conf. This file contains regular expression to parsing Zimbra log which will trigger the banned process if it happens several times in a specified time interval. Contents of/etc/fail2ban/filter.d/zimbra.conf : 
    # Fail2Ban configuration file
#
# Author: 
#
# $Revision: 1 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
                        \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                        \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
                        WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
                        NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
# 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
  3. Create/edit /etc/fail2ban/jail.conf with the following contents : 
    # Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
## The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 202.43.115.188/32
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto

# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=zeze@vavai.com, sender=fail2ban@excellent.co.id]
logpath = /var/log/messages
maxretry = 5

# This jail forces the backend to "polling".

[sasl-iptables]

enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=support@excellent.co.id]
logpath = /var/log/zimbra.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=support@excellent.co.id]
ignoreregex = for myuser from
logpath = /var/log/messages

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, dest=support@excellent.co.id]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=support@excellent.co.id]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5

[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=support@excellent.co.id]
logpath = /var/log/zimbra.log
#findtime = 604800
bantime = 172800
maxretry = 5

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=support@excellent.co.id]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5

#[sasl]
#enabled = true
#port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
#filter = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
#logpath = /var/log/zimbra.log

    jail.conf contains data log path to be check and email address for banned notification. Do not forget to fill in the parameters ignoreip to prevent Fail2Ban banned internal network

  4. Edit file /etc/fail2ban/action.d/sendmail.conf and change the line : 
    Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

    into

    Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>
  5. Restart Fail2Ban services 
    service fail2ban restart

Fail2Ban will sent a notification email to specified email address if found intrusion that match with Fail2Ban rule. IP will be instantly banned if it has qualified many times and match with Fail2Ban rules in a predefined time interval. We can also modify jail.conf  or create another regular expression to check other logs.

Below are screenshot of notification email from Fail2Ban:

Fail2Ban is quite powerful and can be used to anticipate the kind of brute-force attack, both on email and other server services such as web servers, FTP servers, database servers and others.

Related Posts

About The Author

Vavai

Traveller, Open Source Enthusiast & Book Lover. Works as Independent Worker & Self-Employer.

Latest Comments

  1. Mal Hira May 28, 2015

    Hi!

    One more regexp for zimbra.conf in case of external LDAP auth

    ;oip=;.* SoapEngine – handler exception: authentication failed for .*, external LDAP auth failed, LDAP error: – unable to ldap authenticate: invalid credentials$

    Reply
    • Mal Hira May 28, 2015

      and

      ;oip=;.* security – cmd=Auth; .* protocol=soap; error=authentication failed for .*, external LDAP auth failed, LDAP error: – unable to ldap authenticate: invalid credentials$

      (4 audit)

      Reply
  2. Mal Hira May 28, 2015

    error

    ;oip=;.* security – cmd=Auth; .* protocol=soap; error=authentication failed for .*, external LDAP auth failed, LDAP error: – unable to ldap authenticate: invalid credentials;$

    Reply
  4. scott January 18, 2016

    This is wrong, if you use this with 8.6+ you will end up banning your own server and not be able to connect to LDAP. oip is the section of the log you want to ban

    Reply
  5. Jon February 4, 2016

    I’m must be doing something incorrectly. I’ve copied all the files exactly as they are shown and am still getting errors for zimbra-account.

    ERROR Error in action definition iptables-allports[name=zimbra-account]
    ERROR Errors in jail ‘zimbra-account’. Skipping…

    Any help would be greatly appreciated.

    Thank you

    Reply
    • Jon February 4, 2016

      This is on Ubuntu 14.04.3 Server running Zimbra 8.6 Open

      Reply
      • Juan April 16, 2016

        Hi Jon,

        Can you check that /etc/fail2ban/action.d/iptables-allports.conf is the default file provided when you installed fail2ban ?

        Best Regards

        Reply
      • manose January 10, 2017

        Hi Jon,
        Did u get the issue resolved? if so can you please post it here.
        thanks and regards

        Reply
    • Brad June 8, 2018

      Did you ever get this figured out Jon? I’m having the same issue on centos

      Reply
  6. Jon Morby November 22, 2016

    The basic premise is correct, but never put your rules in jail.conf

    You should always use jail.local to avoid your rules being overwritten by updates

    jail.local overrides every setting in jail.conf

    Reply
  7. Dorojatun June 7, 2017

    To ban ip address of the spammer, I use following regex: ^.*\[(?:::f{4,6}:)?(?P\S+)\], sasl.*sasl_username=(?P\S+)$.
    I set to 10 times send/login in 5 minutes will ban ip address for 24 hours.
    Thanks to Hochreiter Martin for the regex.
    https://sourceforge.net/p/fail2ban/mailman/fail2ban-users/

    Reply
  8. Dorojatun June 7, 2017

    To ban ip address of the spammer, I use following regex: ^.*\[(?:::f{4,6}:)?(?P\S+)\], sasl.*sasl_username=(?P\S+)$.
    I set to 10 times send/login in 5 minutes will ban ip address for 24 hours.
    And exclution/ignore ip is set too.
    Thanks to Hochreiter Martin for the regex.
    https://sourceforge.net/p/fail2ban/mailman/fail2ban-users/

    Reply
  9. Dzung August 29, 2017

    I have same error
    ERROR Error in action definition iptables-allports[name=zimbra-account]
    ERROR Errors in jail ‘zimbra-account’. Skipping…
    zimbra 8.7 any one help me

    Reply
  10. Khofidin Ofid September 30, 2017

    This is not working on 8.6, because the IP address that would be banned is the IP address of mail server server itself:

    2017-09-30 12:29:48,375 WARN [qtp509886383-4401:https://10.10.10.2:7071/service/admin/soap/%5D [name=account@domain.co.id;ip=10.10.10.2;] security – cmd=Auth; account=account@domain.co.id; protocol=soap; error=authentication failed for [account@domain.co.id], invalid password;

    Could someone give me alight?

    Reply

Leave a Reply