Page 1 of 2

How to protect Zimbra against postfix AUTH DoS attacks

Posted: Fri Oct 14, 2016 7:49 am
by MartinsBonders
Hello!

What would be the best way to protect Zimbra 8.6 from postfix AUTH DoS attacks? Like this:

Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]

Re: How to protect Zimbra against postfix AUTH DoS attacks

Posted: Fri Oct 14, 2016 8:44 am
by phoenix
How about fail2ban? There are details in the forums on that subject.

Re: How to protect Zimbra against postfix AUTH DoS attacks

Posted: Fri Oct 14, 2016 12:18 pm
by L. Mark Stone
fail2ban I can confirm works great.

Hope that helps,
Mark

Re: How to protect Zimbra against postfix AUTH DoS attacks

Posted: Fri Oct 14, 2016 1:23 pm
by MartinsBonders
Is there some approved manual how to setup Zimbra + fail2ban? Because forum have some pieces of configs.

Re: How to protect Zimbra against postfix AUTH DoS attacks

Posted: Fri Oct 14, 2016 1:26 pm
by phoenix
The simple answer to that would be no, there isn't any Zimbra document for that. This isn't a function of ZCS and installing fail2ban would be a server admin task - I believe there's plenty details on the internet for configuring it.

For example, Centos7: https://search.yahoo.com/yhs/search?p=% ... mp=yhs-001

Re: How to protect Zimbra against postfix AUTH DoS attacks

Posted: Fri Oct 14, 2016 2:07 pm
by L. Mark Stone
Here is is the zimbra.conf file we use (in addition to some of the other jail conf files that come with fail2ban...)

root@mail:/etc/fail2ban/filter.d# cat zimbra.conf
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

root@mail:/etc/fail2ban/filter.d#

Re: How to protect Zimbra against postfix AUTH DoS attacks

Posted: Wed Oct 19, 2016 11:56 am
by MartinsBonders
Thank you, this looks very good!~:)


L. Mark Stone wrote:Here is is the zimbra.conf file we use (in addition to some of the other jail conf files that come with fail2ban...)

root@mail:/etc/fail2ban/filter.d# cat zimbra.conf
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

root@mail:/etc/fail2ban/filter.d#

Re: How to protect Zimbra against postfix AUTH DoS attacks

Posted: Wed Oct 19, 2016 1:34 pm
by L. Mark Stone
MartinsBonders wrote:Thank you, this looks very good!~:)


L. Mark Stone wrote:Here is is the zimbra.conf file we use (in addition to some of the other jail conf files that come with fail2ban...)

root@mail:/etc/fail2ban/filter.d# cat zimbra.conf
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

root@mail:/etc/fail2ban/filter.d#



You're very welcome; hope you get things sorted out!

All the best,
Mark

Re: How to protect Zimbra against postfix AUTH DoS attacks

Posted: Thu Oct 20, 2016 9:55 pm
by Xardas999
Dear Sir Mark!

If I put this into filter.d directory as a file zimbra.conf, what should I enter in jail.local?
[zimbra]
enabled=true
... or something else? logs path, backend set up?

Thank you in advance!

Re: How to protect Zimbra against postfix AUTH DoS attacks

Posted: Thu Oct 20, 2016 10:00 pm
by Xardas999
If I just add to jail.local
[zimbra]
enabled=true

and put this content to zimbra.conf

then fail2ban-client reload tells:
ERROR NOK: ("No 'host' group in '\\[ip=;\\] account \xe2\x80\x94 authentication failed for .* \\(no such account\\)$'",)


-------- REMARK:
this happens if you wrongly copy-pasted the config and the name <HOST> is missing. The above mentioned like must look:
\\[ip=<HOST>;\\] account \xe2\x80\x94 authentication failed for .* \\(no such account\\)$