Results 1 to 6 of 6

Thread: fail2ban rules for Zimbra

Hybrid View

  1. #1
    Join Date
    Feb 2007
    Location
    Pennsylvania
    Posts
    96
    Rep Power
    8

    Default fail2ban rules for Zimbra

    I've got a heavy load of people hitting my server trying to get access. I installed fail2ban and I'm trying to figure out where to tell it to look for repeated unauthorized access. I see info about it in my log emails forthe admin user but i have no idea where to point fail2ban to monitor to build a block list. I'm not concerned with ports. I only need to know the location of the log file that shows unauthorized access. I thought itwas the maillog file in /vag/log but that doesn't seem to be right.

    Any help is appreciated. If you think deny.hosts works better let me know. My access is only via https.

  2. #2
    Join Date
    Feb 2007
    Location
    Pennsylvania
    Posts
    96
    Rep Power
    8

    Default

    no one has got anything for me?

  3. #3
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    /opt/zimbra/log/audit.log will provide you more information on who's trying to get in.

    john

  4. #4
    Join Date
    Nov 2008
    Location
    Pavia (Italia)
    Posts
    19
    Rep Power
    7

    Default

    I suggest you to switch on the fail2ban postfix filter on /var/log/mail.log, and to add the following new filter I created for Zimbra webmail/admin interface.

    /etc/fail2ban/jail.conf
    HTML Code:
    ...
    [zimbra-webmail]
    
    enabled = true
    port    = http,https
    filter  = zimbra-webmail
    logpath = /opt/zimbra/log/audit.log
    maxretry = 4

    /etc/fail2ban/filter.d/zimbra-webmail.conf

    HTML Code:
    # Fail2Ban configuration file
    #
    # Author: Giorgio Salluzzo <giorgio.salluzzo@gmail.com>
    #
    
    [Definition]
    
    # Option:  failregex
    # Notes.:  regex to match PASSWORD FAILED for Zimbra webmail/admin authentication
    # Values:  TEXT
    #
    # FIRST regex for webmail, SECOND for webadmin
    #
    failregex = ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                WARN  .* \[ip=<HOST>;ua=ZimbraWebClient
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =
    Last edited by drizzt; 03-27-2009 at 07:25 AM.
    Giorgio Salluzzo - Sviluppatore Python / Django

  5. #5
    Join Date
    Dec 2010
    Posts
    3
    Rep Power
    5

    Default Correction

    You need to have an action in the jail.conf, or fail2ban won't start. Here is my correction:

    Code:
    [zimbra-webmail]
    
    enabled = true
    port    = http,https
    action   = iptables-multiport[name=zimbra, port="http,https", protocol=tcp]
               sendmail-whois[name=Zimbra, dest=you@mail.com]
    filter  = zimbra-webmail
    logpath = /opt/zimbra/log/audit.log
    maxretry = 4
    Like the others in jail.conf, replace you@mail.com with your email address.

  6. #6
    Join Date
    Jul 2010
    Posts
    3
    Rep Power
    5

    Default

    I have:


    jail.conf

    [postfix]

    enabled = true
    port = smtp,ssmtp
    filter = postfix
    logpath = /var/log/zimbra.log
    #/var/log/mail.log /var/log/mail.err /var/log/mail.warn /var/log/mail.info
    maxretry = 5
    ignoreip =
    bantime = 86400
    findtime = 1200

    filter.d/postfix.conf
    [Definition]

    failregex = reject: RCPT from (.*)\[\]: 550 5.1.1
    reject: RCPT from (.*)\[\]: 450 4.7.1
    reject: RCPT from (.*)\[\]: 554 5.7.1
    (.*)\[\]: SASL LOGIN authentication failed: authentication failure
    .* Blocked SPAM, \[\].*

    ignoreregex =
    After few hours, more than 12.000 account are dropped

Similar Threads

  1. Spamassassin: How to test homemade rules?
    By Tenshi in forum Administrators
    Replies: 11
    Last Post: 06-29-2010, 01:37 PM
  2. Rules du Jour - spamassassin
    By sturgis in forum Administrators
    Replies: 10
    Last Post: 11-27-2007, 10:12 AM
  3. zmtrainsa - can't find site rules
    By reza225 in forum Administrators
    Replies: 9
    Last Post: 07-09-2007, 01:19 PM
  4. Personal rules
    By Assaf in forum Administrators
    Replies: 1
    Last Post: 01-16-2007, 07:56 AM
  5. possible bug with filter rules
    By psuter in forum Administrators
    Replies: 1
    Last Post: 11-22-2005, 08:52 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •