Zimbra mail server has it’s own anti spam based on SpamAssasin and anti virus addon based on ClamAV to block incoming and outgoing malicious. The default addon has a pretty good performance when configured properly, but if you want to increase the security of Zimbra mail server, fail2ban is an additional plugin to be considered.
What is Fail2Ban
Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally (for example, iptables or TCP Wrapper).
Fail2ban operates by monitoring log files (e.g. /var/log/pwdfail, /var/log/auth.log, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It can ban any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.
Here is a guide to improve the security of Zimbra mail server by using Fail2Ban :
- Install Fail2Ban and IPtables. If you are using Minimal Server Appliance, both Fail2ban and IPtables has been successfully installed on the appliance. To install it manually, run the following command with root permission :
zypper ar http://download.opensuse.org/repositories/security/SLE_11/ fail2ban zypper in fail2ban
- Create a new file /etc/fail2ban/filter.d/zimbra.conf. This file contains regular expression to parsing Zimbra log which will trigger the banned process if it happens several times in a specified time interval. Contents of /etc/fail2ban/filter.d/zimbra.conf :
# Fail2Ban configuration file # # Author: # # $Revision: 1 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = \[ip=;\] account - authentication failed for .* \(no such account\)$ \[ip=;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$ ;oip=;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$ \[oip=;.* SoapEngine - handler exception: authentication failed for .*, account not found$ WARN .*;ip=;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$ INFO .*ip=;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$ # NOQUEUE: reject: RCPT from .*\[\]: 550 5.1.1 .*: Recipient address rejected: # .*\[ip=;\] .* - authentication failed for .* \(invalid password\) # # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = - Create/edit /etc/fail2ban/jail.conf with the following contents :
# Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 747 $ # # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 172.16.0.0/16 172.17.0.0/16 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". This option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another). # # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = auto # This jail corresponds to the standard configuration in Fail2ban 0.6. # The mail-whois action send a notification e-mail with a whois request # in the body. [ssh-iptables] enabled = false filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=ms@vavai.com, sender=fail2ban@sungaibudi.com] logpath = /var/log/messages maxretry = 5 [proftpd-iptables] enabled = false filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=you@example.com] logpath = /var/log/proftpd/proftpd.log maxretry = 6 # This jail forces the backend to "polling". [sasl-iptables] enabled = false filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=ms@vavai.com] logpath = /var/log/zimbra.log # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is # used to avoid banning the user "myuser". [ssh-tcpwrapper] enabled = false filter = sshd action = hostsdeny sendmail-whois[name=SSH, dest=ms@vavai.com] ignoreregex = for myuser from logpath = /var/log/messages # This jail demonstrates the use of wildcards in "logpath". # Moreover, it is possible to give other files on a new line. [apache-tcpwrapper] enabled = false filter = apache-auth action = hostsdeny logpath = /var/log/apache*/*error.log /home/www/myhomepage/error.log maxretry = 6 # The hosts.deny path can be defined with the "file" argument if it is # not in /etc. [postfix-tcpwrapper] enabled = false filter = postfix action = hostsdeny[file=/not/a/standard/path/hosts.deny] sendmail[name=Postfix, dest=you@example.com] logpath = /var/log/postfix.log bantime = 300 # Do not ban anybody. Just report information about the remote host. # A notification is sent at most every 600 seconds (bantime). [vsftpd-notification] enabled = false filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 # Same as above but with banning the IP address. [vsftpd-iptables] enabled = false filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. [apache-badbots] enabled = false filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=you@example.com] logpath = /var/www/*/logs/access_log bantime = 172800 maxretry = 1 # Use shorewall instead of iptables. [apache-shorewall] enabled = false filter = apache-noscript action = shorewall sendmail[name=Postfix, dest=you@example.com] logpath = /var/log/apache2/error_log # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. #[php-url-fopen] # #enabled = false #port = http,https #filter = php-url-fopen #logpath = /var/www/*/logs/access_log #maxretry = 1 # A simple PHP-fastcgi jail which works with lighttpd. # If you run a lighttpd server, then you probably will # find these kinds of messages in your error_log: # ALERT – tried to register forbidden variable ‘GLOBALS’ # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') # This jail would block the IP 1.2.3.4. [lighttpd-fastcgi] enabled = false port = http,https filter = lighttpd-fastcgi # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" # option is overridden in this jail. Moreover, the action "mail-whois" defines # the variable "name" which contains a comma using "". The characters '' are # valid too. [ssh-ipfw] enabled = false filter = sshd action = ipfw[localhost=192.168.0.1] sendmail-whois[name="SSH,IPFW", dest=you@example.com] logpath = /var/log/auth.log ignoreip = 168.192.0.1 # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; # # in your named.conf to provide proper logging. # This jail blocks UDP traffic for DNS requests. # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. # # [named-refused-udp] # # enabled = false # filter = named-refused # action = iptables-multiport[name=Named, port="domain,953", protocol=udp] # sendmail-whois[name=Named, dest=you@example.com] # logpath = /var/log/named/security.log # ignoreip = 168.192.0.1 # This jail blocks TCP traffic for DNS requests. [named-refused-tcp] enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] sendmail-whois[name=Named, dest=ms@vavai.com] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 [zimbra-account] enabled = true filter = zimbra action = iptables-allports[name=zimbra-account] sendmail[name=zimbra-account, dest=ms@vavai.com] logpath = /opt/zimbra/log/mailbox.log bantime = 600 maxretry = 5 [zimbra-audit] enabled = true filter = zimbra action = iptables-allports[name=zimbra-audit] sendmail[name=Zimbra-audit, dest=ms@vavai.com] logpath = /opt/zimbra/log/audit.log bantime = 600 maxretry = 5 [zimbra-recipient] enabled = true filter = zimbra action = iptables-allports[name=zimbra-recipient] sendmail[name=Zimbra-recipient, dest=ms@vavai.com] logpath = /var/log/zimbra.log #findtime = 604800 bantime = 172800 maxretry = 5 [postfix] enabled = true filter = postfix action = iptables-multiport[name=postfix, port=smtp, protocol=tcp] sendmail-buffered[name=Postfix, dest=ms@vavai.com] logpath = /var/log/zimbra.log bantime = -1 maxretry = 5 #[sasl] #enabled = true #port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s #filter = sasl # You might consider monitoring /var/log/warn.log instead # if you are running postfix. See http://bugs.debian.org/507990 #logpath = /var/log/zimbra.logjail.conf contains data log path to be check and email address for banned notification. Do not forget to fill in the parameters ignoreip to prevent Fail2Ban banned internal network
- Edit file /etc/fail2ban/action.d/sendmail.conf and change the line :
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
into
Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>
- Restart Fail2Ban services
service fail2ban restart
Fail2Ban will sent a notification email to specified email address if found intrusion that match with Fail2Ban rule. IP will be instantly banned if it has qualified many times and match with Fail2Ban rules in a predefined time interval. We can also modify jail.conf or create another regular expression to check other logs.
Below are screenshot of notification email from Fail2Ban:
Fail2Ban is quite powerful and can be used to anticipate the kind of brute-force attack, both on email and other server services such as web servers, FTP servers, database servers and others.