Fail2Ban, Zimbra’s DoSFilter and Failed Login Lockout Policy

On each Zimbra deployment strategy, I’ve never activate Failed Login Lockout Policy as it tend to block legitimate user from being logged in due to brute force attack from others. The legitimate users often become a victim for spammer or robot attempt to login.

I would also prefer Fail2ban to block login attempt from spammer rather than Zimbra’s built in filter, DoSFilter. But it seems to be changed after looking at (just a short reply 🙂 ) on a discussion on Zimbra Forums.

L Mark Stone of Mission Critical Email write up : “Using Zimbra’s DoSFilter and Failed Login Lockout Policy Together”

Zimbra’s DoSFilter (Denial of Service Filter) is a mechanism to throttle or block IP addresses that have a repeated number of failed logins to your Zimbra system.  Zimbra’s Classes of Service include a Failed Login Lockout policy that will put a mailbox in Locked Out mode, hopefully before a brute force attack is successful.  The two together can improve system security and protect legitimate users, but only if configured appropriately.

DoSFilter is generally easier to configure than fail2ban in multiserver systems, because in a multi-server system the logger host is usually one of the mailbox servers, but you want to do the fail2ban blocking on the MTA and Proxy servers.  Making all that work is complex, and if you are running Network Edition, Zimbra Support can help you troubleshoot DoSFilter; with fail2ban you are on your own.  On single server Zimbra systems, fail2ban works fine, but you’ll need to source up to date Zimbra “jail” configuration files, so yet another reason to favor DoSFilter over fail2ban.

As one of top Zimbra Expert involved on Zimbra Forums since the beginning and managing his business focus on email, Mark has his own’s experience to deal with Zimbra security improvement and his blog post interesting enough to be implemented.

Leave a Reply