Zimbra 8.6 fail2ban oip

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
yogg01
Posts: 13
Joined: Sat Sep 13, 2014 3:55 am

Zimbra 8.6 fail2ban oip

Postby yogg01 » Fri Feb 26, 2016 4:11 am

Hi



My System:
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P4.



What I try to do:
I want to autoban with fail2ban all the brute force attackers.



The Problem behind that is the following:
In "/opt/zimbra/log/mailbox.log" I see the following if someone tries to login on the website with invalid credentials:


2016-02-26 10:33:50,323 INFO  [qtp509886383-171:http://127.0.0.1:8080/service/soap/AuthRequest] [oip=192.168.5.3;ua=zclient/8.6.0_GA_1182;] SoapEngine - handler exception: authentication failed for [mytest], account not found
2016-02-26 10:33:50,323 INFO [qtp509886383-171:http://127.0.0.1:8080/service/soap/AuthRequest] [oip=192.168.5.3;ua=zclient/8.6.0_GA_1182;] soap - AuthRequest elapsed=1
2016-02-26 10:33:50,339 INFO [qtp509886383-167:https://127.0.0.1:7071/service/admin/soap/GetDomainInfoRequest] [ip=127.0.0.1;ua=ZCS/8.6.0_GA_1182;] soap - GetDomainInfoRequest elapsed=0

The "oip" is the internal IP of the server but should be the IP of the client.
I have another zimbra (also 8.6 with zimbra proxy) there "oip" has the right IP in it.


I think the zimbra proxy is the problem here but I can't find out why on this machine the proxy does not ship the right IP to the login service.


Has someone an idea what is going wrong here?



yogg01
Posts: 13
Joined: Sat Sep 13, 2014 3:55 am

Zimbra 8.6 fail2ban oip

Postby yogg01 » Tue Mar 01, 2016 7:09 am

Have found it.


zmprov mcf +zimbraMailTrustedIP 192.168.5.3
zmcontrol restart

This solves the Problem.
Its somehow strange that zimbra will not do this automatically when the proxy services is installed (on the same host).

User avatar
howanitz
Advanced member
Advanced member
Posts: 65
Joined: Mon Feb 01, 2016 9:27 am

Zimbra 8.6 fail2ban oip

Postby howanitz » Tue Mar 01, 2016 7:13 am

Did that change the listed IP address in the logs, or just whitelist your internal ip address?
yogg01
Posts: 13
Joined: Sat Sep 13, 2014 3:55 am

Zimbra 8.6 fail2ban oip

Postby yogg01 » Tue Mar 01, 2016 7:36 am

This changes the displayed value in the "oip" filed.


My log looks now something like this:


2016-03-01 14:05:37,775 INFO  [qtp509886383-19:http://127.0.0.1:8080/service/soap/AuthRequest] [oip=1.2.3.4;ua=zclient/8.6.0_GA_1194;] SoapEngine - handler exception: authentication failed for [mytest], account not found
2016-03-01 14:05:37,776 INFO [qtp509886383-19:http://127.0.0.1:8080/service/soap/AuthRequest] [oip=1.2.3.4;ua=zclient/8.6.0_GA_1194;] soap - AuthRequest elapsed=16
2016-03-01 14:05:37,777 INFO [qtp509886383-19:http://127.0.0.1:8080/service/soap/AuthRequest] [] misc - Invalid login filter, checking if this was an auth req and authentication failed.

As you can see the "oip" field now shows correct the external IP of the user and fail2ban can work with this.

yogg01
Posts: 13
Joined: Sat Sep 13, 2014 3:55 am

Zimbra 8.6 fail2ban oip

Postby yogg01 » Tue Mar 01, 2016 7:51 am

By the way you only need to restart mailboxd (not all the services)


zmmailboxdctl restart
Broco
Posts: 8
Joined: Sat Sep 13, 2014 3:37 am

Re: Zimbra 8.6 fail2ban oip

Postby Broco » Fri Oct 21, 2016 11:11 am

Just for future reference:

When you have nginx installed, the logfiles will ALWAYS show the nginx server as source IP, even if it is on the same machine.
In order to preserve the original IP you have to add ninx to the trusted IPs, if it is on the same machine, you have to add the real address as well as 127.0.0.1.

Nginx hasn't been default for long and I think it's not much of a problem to do so if you know it.

Here's the official reference:

https://wiki.zimbra.com/wiki/Log_Files# ... inating_IP

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 9 guests