Difference between revisions of "Configure Fail2Ban for Zimbra Server with route instead of iptables to block IPs"

Line 4: Line 4:
 
==Configure Fail2Ban for Zimbra Server with route instead of iptables to block IPs==
 
==Configure Fail2Ban for Zimbra Server with route instead of iptables to block IPs==
 
<hr>
 
<hr>
{{KB|{{WIP}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}  
+
{{KB|{{WIP}}|{{ZCS 9.0}}|}}  
 
<hr>
 
<hr>
  
==Overview==
+
This article is a how-to guide on installing Fail2Ban to block attacking hosts using a null route or blackhole routes. This can help mitigate brute force attacks on Zimbra. Especially brute force attacks on SMTP are very common.
  
Install and configure Fail2Ban to block attacking hosts using a null route or blackhole routes.
+
= Prerequisite: =
  
;'''PRO:'''
+
It is required the OIP configuration must be done before configuring Fail2Ban service.
: - Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further).
 
: - It's FAST for very large numbers of blocked ips.
 
: - It's FAST because it Blocks traffic before it enters common iptables chains used for filtering.
 
: - It's per host, ideal as action against ssh password bruteforcing to block further attack attempts.
 
: - No additional software required beside iproute/iproute2
 
  
;'''CON:'''
+
'''For a Single-Server Setup:'''<br />
:  - Blocking is per IP and NOT per service, but ideal as action against bruteforcing hosts.
+
If you are running nginx on the same node as the mailstore, you will need to add both 127.0.0.1 and the real IP address of that node:
  
<hr>
+
<pre>sudo -u zimbra -
 +
zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP {IP of Server}
 +
zmcontrol restart</pre>
 +
'''For a Multi-Server Setup:'''
  
==Prerequisite:==
+
<pre>sudo -u zimbra -
It is required the OIP configuration must be done before configuring Fail2Ban service.
+
zmprov mcf +zimbraHttpThrottleSafeIPs {IP of Mailbox-1}
 +
zmprov mcf +zimbraHttpThrottleSafeIPs {IP of Mailbox-2}
 +
zmprov mcf +zimbraMailTrustedIP {IP of Proxy-1}
 +
zmprov mcf +zimbraMailTrustedIP {IP of Proxy-2}
 +
zmcontrol restart</pre>
 +
= Installation and Configuration of Fail2Ban =
  
 +
'''1)''' Install Fail2Ban Package
  
'''For a Single-Server Setup:'''<br>
+
'''On RHEL/CentOS 7/8:'''
If you are running nginx on the same node as the mailstore, you will need to add both 127.0.0.1 and the real IP address of that node:
 
su - zimbra
 
zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP {IP of Server}
 
zmcontrol restart
 
  
 +
<pre>yum install epel-release -y
 +
yum install fail2ban -y</pre>
 +
'''On Ubuntu 18/20:'''
  
'''For a Multi-Server Setup:'''
+
<pre>apt-get clean all ; apt-get update
su - zimbra
+
apt-get install fail2ban -y</pre>
zmprov mcf +zimbraHttpThrottleSafeIPs {IP of Mailbox-1}
+
'''2)''' Create a file '''/etc/fail2ban/jail.local''' and it will override the default conf file '''/etc/fail2ban/jail.conf'''.<br />
zmprov mcf +zimbraHttpThrottleSafeIPs {IP of Mailbox-2}
+
Add the local IP address of the Zimbra server in '''ignoreip ='''. You can also add other IP addresses to ignore from Fail2Ban checking.<br />
zmprov mcf +zimbraMailTrustedIP {IP of Proxy-1}
+
On a multi-server setup, add all server’s IP in ignoreip list.
zmprov mcf +zimbraMailTrustedIP {IP of Proxy-2}
 
zmcontrol restart
 
  
<hr>
+
<code>nano /etc/fail2ban/jail.local </code>
  
==Installation and Configuration of Fail2Ban:==
+
<pre>[DEFAULT]
 +
# &quot;ignoreip&quot; can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban will not ban a host which matches an address in this list.
 +
# Several addresses can be defined using space (and/or comma) separator.
 +
#ignoreip = 127.0.0.1/8 ::1 10.137.26.29/32
 +
ignoreip = 127.0.0.1/8 &quot;IP-ADDRESS-OF-ZIMBRA-SERVER/32&quot;
  
'''1)''' Install Fail2Ban Package
+
banaction = route</pre>
;''' On RHEL/CentOS 7/8:'''
+
'''3)''' Create a jail file for Zimbra services.
yum install epel-release -y 
 
yum install fail2ban -y
 
  
;''' On Ubuntu 16/18:'''
+
<code>nano /etc/fail2ban/jail.d/zimbra.local</code>
apt-get clean all ; apt-get update
 
apt-get install fail2ban -y
 
  
 +
<pre>[zimbra-smtp]
 +
enabled = true
 +
filter = zimbra-smtp
 +
port = 25,465,587
 +
logpath = /var/log/zimbra.log
 +
maxretry = 3
 +
findtime = 86400
 +
bantime = 86400
  
'''2)'''  Create a file '''"/etc/fail2ban/jail.local"''' and it will override the default conf file "'''/etc/fail2ban/jail.conf"'''. <br>
+
[zimbra-webmail]
Add the local IP address of the Zimbra server in '''"ignoreip ="'''. You can also add other IP addresses to ignore from Fail2Ban checking.<br>
+
enabled = true
On a multi-server setup, add all server's IP in ignoreip list.
+
filter = zimbra-webmail
 +
port = 80,443
 +
logpath = /opt/zimbra/log/mailbox.log
 +
maxretry = 3
 +
findtime = 86400
 +
bantime = 86400
  
vim /etc/fail2ban/jail.local
+
[zimbra-admin]
 
+
enabled = true
[DEFAULT]
+
filter = zimbra-admin
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban will not ban a host which matches an address in this list.
+
port = 7071,9071
# Several addresses can be defined using space (and/or comma) separator.
+
logpath = /opt/zimbra/log/mailbox.log
#ignoreip = 127.0.0.1/8 ::1 10.137.26.29/32
+
maxretry = 3
ignoreip = 127.0.0.1/8 <span style="color:red">"IP-ADDRESS-OF-ZIMBRA-SERVER/32"</span>  
+
findtime = 86400
+
bantime = 86400</pre>
banaction = route
+
{|
 
+
!width="6%"| Property
{| class="wikitable"
+
!width="94%"| Description
 
|-
 
|-
|'''ignoreip:'''
+
| ignoreip
|This parameter identifies IP address that should be ignored by the banning system. By default, this is just set to ignore traffic coming from the machine itself, which is a pretty good setting to have.
+
| This parameter identifies IP address that should be ignored by the banning system. By default, this is just set to ignore traffic coming from the machine itself, which is a pretty good setting to have.
 
|-
 
|-
|'''banaction:'''
+
| banaction
|This sets the action that will be used when the threshold is reached. There is actually the name of a file located in '''''/etc/fail2ban/action.d/''''' which calls the configured action using the .conf file.  
+
| This sets the action that will be used when the threshold is reached. There is actually the name of a file located in ’`/etc/fail2ban/action.d/'which calls the configured action using the .conf file. Here we configured route which calls route.conf to handle the routing table manipulation to ban an IP address.
Here we configured '''route''' which calls route.conf to handle the routing table manipulation to ban an IP address.
 
 
|-
 
|-
|'''findtime:'''
+
| findtime
|This parameter sets the window that fail2ban will pay attention to when looking for repeated failed authentication attempts. The default is set to 600 seconds (10 minutes again), which means that the software will count the number of failed attempts in the last 10 minutes.
+
| This parameter sets the window that fail2ban will pay attention to when looking for repeated failed authentication attempts. The default is set to 600 seconds (10 minutes again), which means that the software will count the number of failed attempts in the last 10 minutes.
 
|-
 
|-
|'''bantime:'''
+
| bantime
|This parameter sets the length of a ban, in seconds. The default is 600 seconds, or 10 minutes.
+
| This parameter sets the length of a ban, in seconds.
 
|-
 
|-
|'''maxretry:'''
+
| maxretry
|This sets the number of failed attempts that will be tolerated within the findtime window before a ban is instituted.
+
| This sets the number of failed attempts that will be tolerated within the findtime window before a ban is instituted.
 
|}
 
|}
  
 +
'''4)''' '''[Optional]'''<br />
 +
If you want to apply Fail2Ban for SSH then create jail file '''''sshd.local'''''.<br />
 +
(No need to create filter rules for SSH, Fail2ban by default shipped with filter rules for SSH)<br />
 +
On Ubuntu systems, SSH jail is by default enabled within the jail file &quot;/etc/fail2ban/jail.d/defaults-debian.conf&quot;.
  
'''3)'''  Create a jail file for Zimbra services.
+
<code>nano /etc/fail2ban/jail.d/sshd.local</code>
 
 
vim /etc/fail2ban/jail.d/zimbra.local
 
 
 
[zimbra-smtp]
 
enabled = true
 
filter = zimbra-smtp
 
port = 25,465,587
 
logpath = /var/log/zimbra.log
 
maxretry = 3
 
findtime = 86400
 
bantime = 86400
 
 
[zimbra-webmail]
 
enabled = true
 
filter = zimbra-webmail
 
port = 80,443
 
logpath = /opt/zimbra/log/mailbox.log
 
maxretry = 3
 
findtime = 86400
 
bantime = 86400
 
 
[zimbra-admin]
 
enabled = true
 
filter = zimbra-admin
 
port = 7071,9071
 
logpath = /opt/zimbra/log/mailbox.log
 
maxretry = 3
 
findtime = 86400
 
bantime = 86400
 
  
 +
<pre>[sshd]
 +
enabled = true
 +
port = 22
 +
maxretry = 3
 +
findtime = 600
 +
bantime = 3600</pre>
 +
'''5)''' Create filters for Zimbra services.
  
 +
<code>nano /etc/fail2ban/filter.d/zimbra-webmail.conf </code>
  
'''4)'''  '''[Optional]''' <br>
+
<pre>[Definition]
If you want to apply Fail2Ban for SSH then create jail file '''''sshd.local'''''.<br>
+
failregex = .*oip=&lt;HOST&gt;;.*authentication failed for .*$
(No need to create filter rules for SSH, Fail2ban by default shipped with filter rules for SSH)<br>
 
On Ubuntu systems, SSH jail is by default enabled within the jail file "/etc/fail2ban/jail.d/defaults-debian.conf".
 
  
vim /etc/fail2ban/jail.d/sshd.local
+
ignoreregex =</pre>
 +
<code>nano /etc/fail2ban/filter.d/zimbra-smtp.conf</code>
  
[sshd]
+
<pre>[Definition]
enabled = true
+
failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[&lt;HOST&gt;\]: SASL \w+ authentication failed: authentication failure$
port = 22
+
            postfix\/smtps\/smtpd\[\d+\]: warning: .*\[&lt;HOST&gt;\]: SASL \w+ authentication failed: authentication failure$
maxretry = 3
 
findtime = 600
 
bantime = 3600
 
  
 +
ignoreregex =</pre>
 +
<code>nano /etc/fail2ban/filter.d/zimbra-admin.conf</code>
  
'''5)'''  Create filters for Zimbra services.
+
<pre>[Definition]
 +
failregex = .*ip=&lt;HOST&gt;;.*authentication failed for .*$
  
vim /etc/fail2ban/filter.d/zimbra-webmail.conf
+
ignoreregex =</pre>
 +
'''6)''' Restart the Fail2ban service and enable it to start after system reboot.
  
[Definition]
+
<pre>systemctl restart fail2ban
#
+
systemctl status fail2ban
failregex = \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
+
systemctl enable fail2ban</pre>
            INFO .*;oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, invalid password$
+
'''7)''' Check the status of the Fail2Ban jails.
 
ignoreregex =
 
  
 +
<code>fail2ban-client status</code>
  
vim /etc/fail2ban/filter.d/zimbra-smtp.conf
+
The result should be similar to this:
  
[Definition]
+
<pre>[root@centos8 ~]# fail2ban-client status
#
+
Status
failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$
+
|- Number of jail:      4
            postfix\/smtps\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$
+
`- Jail list:  sshd, zimbra-admin, zimbra-smtp, zimbra-webmail
+
[root@centos8 ~]#
ignoreregex =
+
[root@centos8 ~]# fail2ban-client status sshd
 +
Status for the jail: sshd
 +
|- Filter
 +
|  |- Currently failed: 0
 +
|  |- Total failed:    14
 +
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
 +
`- Actions
 +
  |- Currently banned: 1
 +
  |- Total banned:     2
 +
  `- Banned IP list:   10.137.26.29</pre>
 +
'''8)''' Check banned IP in routing table.
  
 +
<code>ip r</code>
  
vim /etc/fail2ban/filter.d/zimbra-admin.conf
+
<code>route -n</code>
  
[Definition]
+
The result should be similar to this:
#
 
failregex = INFO .*;ip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, invalid password$
 
            INFO .*ip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
 
 
ignoreregex =
 
  
 +
<pre>[root@centos8 ~]# ip r
 +
default via 10.0.10.1 dev ens3
 +
10.0.10.0/24 dev ens3  proto kernel  scope link  src 10.0.10.67
 +
unreachable 10.137.26.29
 +
[root@centos8 ~]#
 +
[root@centos8 ~]# route -n
 +
Kernel IP routing table
 +
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
 +
0.0.0.0        10.0.10.1      0.0.0.0        UG    0      0        0 ens3
 +
10.0.10.0      0.0.0.0        255.255.255.0  U    0      0        0 ens3
 +
10.137.26.29    -              255.255.255.255 !H    0      -        0 -
 +
[root@centos8 ~]#</pre>
 +
'''9)''' Ban and unban an IP manually.
  
'''6)''' Restart the Fail2ban service and enable it to start after system reboot.
+
'''Ban an IP address.'''
systemctl restart fail2ban
 
systemctl status fail2ban
 
systemctl enable fail2ban
 
  
 +
<code>fail2ban-client set &quot;Jail-Name&quot; banip &quot;IP-Address&quot;</code>
  
'''7)'''  Check the status of the Fail2Ban jails. 
 
fail2ban-client status
 
 
The result should be similar to this:<br>
 
 
'''Example:'''
 
'''Example:'''
[root@centos8 ~]# fail2ban-client status
 
Status
 
|- Number of jail:      4
 
`- Jail list:  sshd, zimbra-admin, zimbra-smtp, zimbra-webmail
 
[root@centos8 ~]#
 
  
[root@centos8 ~]# fail2ban-client status sshd
+
<code>fail2ban-client set sshd banip 10.137.26.29</code>
Status for the jail: sshd
 
|- Filter
 
|  |- Currently failed: 0
 
|  |- Total failed:    14
 
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
 
`- Actions
 
    |- Currently banned: 1
 
    |- Total banned:    2
 
<span style="color:lime">  `- Banned IP list:  10.137.26.29</span>
 
------------------------------
 
  
 +
'''Unban an IP address.'''
  
'''8)'''  Check banned IP in routing table.
+
<code>fail2ban-client set &quot;Jail-Name&quot; unbanip &quot;Banned IP-Address&quot;</code>
ip r
 
  
route -n
 
 
 
The result should be similar to this:<br>
 
 
'''Example:'''
 
'''Example:'''
[root@centos8 ~]# ip r
 
default via 10.0.10.1 dev ens3
 
10.0.10.0/24 dev ens3  proto kernel  scope link  src 10.0.10.67
 
<span style="color:lime">unreachable 10.137.26.29</span>
 
[root@centos8 ~]#
 
  
[root@centos8 ~]# route -n
+
<code>[root@centos8 ~]# fail2ban-client set sshd unbanip 10.137.26.29</code>
Kernel IP routing table
 
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
 
0.0.0.0        10.0.10.1      0.0.0.0        UG    0      0        0 ens3
 
10.0.10.0      0.0.0.0        255.255.255.0  U    0      0        0 ens3
 
<span style="color:lime">10.137.26.29 -              255.255.255.255 !H    0      -        0 -</span>
 
[root@centos8 ~]#
 
  
 +
'''Unban everyone.'''
  
'''9)'''  Ban and unban an IP manually.
+
Can be useful when something goes wrong with creating new RegEx filter:
  
;'''Ban an IP address.'''
+
<code>fail2ban-client unban --all</code>
fail2ban-client set <span style="color:red">"Jail-Name"</span> banip <span style="color:red">"IP-Address"</span>
 
  
'''Example:'''
+
= Debugging of Fail2Ban: =
fail2ban-client set sshd banip 10.137.26.29 
 
  
 +
The loglevel and target are configured in <code>/etc/fail2ban/fail2ban.conf</code> you can also obtain the log level and log target by running:
  
;'''Unban an IP address.'''
+
<pre>fail2ban-client get loglevel
fail2ban-client set <span style="color:red">"Jail-Name"</span> unbanip <span style="color:red">"Banned IP-Address"</span>
+
fail2ban-client get logtarget</pre>
 
+
To watch the log for debugging purpose you can run:
'''Example:'''
 
[root@centos8 ~]# fail2ban-client set sshd unbanip 10.137.26.29
 
 
 
==Debugging of Fail2Ban:==
 
 
 
The loglevel and target are configured in ""/etc/fail2ban/fail2ban.conf"" you can also obtain the log level and log target by running:
 
  
fail2ban-client get loglevel
+
<pre>tail -f $(fail2ban-client get logtarget | grep &quot;\`&quot; | awk '{ print $2; }')</pre>
fail2ban-client get logtarget
+
Fail2ban works by parsing log files using regular expressions, you can test the regular expression by using <code>fail2ban-regex</code> like this:
  
To watch the log for debugging purpose you can run:
+
<pre>fail2ban-regex /opt/zimbra/log/mailbox.log /etc/fail2ban/filter.d/zimbra-webmail.conf</pre>
  
tail -f $(fail2ban-client get logtarget | grep "\`" | awk '{ print $2; }')
 
 
  
 
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"
 
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"

Revision as of 07:46, 25 July 2022

Configure Fail2Ban for Zimbra Server with route instead of iptables to block IPs


   KB 24185        Last updated on 2022-07-25  




0.00
(0 votes)

This article is a how-to guide on installing Fail2Ban to block attacking hosts using a null route or blackhole routes. This can help mitigate brute force attacks on Zimbra. Especially brute force attacks on SMTP are very common.

Prerequisite:

It is required the OIP configuration must be done before configuring Fail2Ban service.

For a Single-Server Setup:
If you are running nginx on the same node as the mailstore, you will need to add both 127.0.0.1 and the real IP address of that node:

sudo -u zimbra -
zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP {IP of Server}
zmcontrol restart

For a Multi-Server Setup:

sudo -u zimbra -
zmprov mcf +zimbraHttpThrottleSafeIPs {IP of Mailbox-1}
zmprov mcf +zimbraHttpThrottleSafeIPs {IP of Mailbox-2}
zmprov mcf +zimbraMailTrustedIP {IP of Proxy-1}
zmprov mcf +zimbraMailTrustedIP {IP of Proxy-2}
zmcontrol restart

Installation and Configuration of Fail2Ban

1) Install Fail2Ban Package

On RHEL/CentOS 7/8:

yum install epel-release -y
yum install fail2ban -y

On Ubuntu 18/20:

apt-get clean all ; apt-get update
apt-get install fail2ban -y

2) Create a file /etc/fail2ban/jail.local and it will override the default conf file /etc/fail2ban/jail.conf.
Add the local IP address of the Zimbra server in ignoreip =. You can also add other IP addresses to ignore from Fail2Ban checking.
On a multi-server setup, add all server’s IP in ignoreip list.

nano /etc/fail2ban/jail.local 

[DEFAULT]
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban will not ban a host which matches an address in this list.
# Several addresses can be defined using space (and/or comma) separator.
#ignoreip = 127.0.0.1/8 ::1 10.137.26.29/32
ignoreip = 127.0.0.1/8 "IP-ADDRESS-OF-ZIMBRA-SERVER/32"

banaction = route

3) Create a jail file for Zimbra services.

nano /etc/fail2ban/jail.d/zimbra.local

[zimbra-smtp]
enabled = true
filter = zimbra-smtp
port = 25,465,587
logpath = /var/log/zimbra.log
maxretry = 3
findtime = 86400
bantime = 86400

[zimbra-webmail]
enabled = true
filter = zimbra-webmail
port = 80,443
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
findtime = 86400
bantime = 86400

[zimbra-admin]
enabled = true
filter = zimbra-admin
port = 7071,9071
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
findtime = 86400
bantime = 86400
Property Description
ignoreip This parameter identifies IP address that should be ignored by the banning system. By default, this is just set to ignore traffic coming from the machine itself, which is a pretty good setting to have.
banaction This sets the action that will be used when the threshold is reached. There is actually the name of a file located in ’`/etc/fail2ban/action.d/'’ which calls the configured action using the .conf file. Here we configured route which calls route.conf to handle the routing table manipulation to ban an IP address.
findtime This parameter sets the window that fail2ban will pay attention to when looking for repeated failed authentication attempts. The default is set to 600 seconds (10 minutes again), which means that the software will count the number of failed attempts in the last 10 minutes.
bantime This parameter sets the length of a ban, in seconds.
maxretry This sets the number of failed attempts that will be tolerated within the findtime window before a ban is instituted.

4) [Optional]
If you want to apply Fail2Ban for SSH then create jail file sshd.local.
(No need to create filter rules for SSH, Fail2ban by default shipped with filter rules for SSH)
On Ubuntu systems, SSH jail is by default enabled within the jail file "/etc/fail2ban/jail.d/defaults-debian.conf".

nano /etc/fail2ban/jail.d/sshd.local

[sshd]
enabled = true
port = 22
maxretry = 3
findtime = 600
bantime = 3600

5) Create filters for Zimbra services.

nano /etc/fail2ban/filter.d/zimbra-webmail.conf 

[Definition]
failregex = .*oip=<HOST>;.*authentication failed for .*$

ignoreregex =

nano /etc/fail2ban/filter.d/zimbra-smtp.conf

[Definition]
failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$
            postfix\/smtps\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$

ignoreregex =

nano /etc/fail2ban/filter.d/zimbra-admin.conf

[Definition]
failregex = .*ip=<HOST>;.*authentication failed for .*$

ignoreregex =

6) Restart the Fail2ban service and enable it to start after system reboot.

systemctl restart fail2ban
systemctl status fail2ban
systemctl enable fail2ban

7) Check the status of the Fail2Ban jails.

fail2ban-client status

The result should be similar to this:

[root@centos8 ~]# fail2ban-client status
Status
|- Number of jail:      4
`- Jail list:   sshd, zimbra-admin, zimbra-smtp, zimbra-webmail
[root@centos8 ~]#
[root@centos8 ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     14
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     2
   `- Banned IP list:   10.137.26.29

8) Check banned IP in routing table.

ip r

route -n

The result should be similar to this:

[root@centos8 ~]# ip r
default via 10.0.10.1 dev ens3
10.0.10.0/24 dev ens3  proto kernel  scope link  src 10.0.10.67
unreachable 10.137.26.29
[root@centos8 ~]#
[root@centos8 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.10.1       0.0.0.0         UG    0      0        0 ens3
10.0.10.0       0.0.0.0         255.255.255.0   U     0      0        0 ens3
10.137.26.29    -               255.255.255.255 !H    0      -        0 -
[root@centos8 ~]#

9) Ban and unban an IP manually.

Ban an IP address.

fail2ban-client set "Jail-Name" banip "IP-Address"

Example:

fail2ban-client set sshd banip 10.137.26.29

Unban an IP address.

fail2ban-client set "Jail-Name" unbanip "Banned IP-Address"

Example:

[root@centos8 ~]# fail2ban-client set sshd unbanip 10.137.26.29

Unban everyone.

Can be useful when something goes wrong with creating new RegEx filter:

fail2ban-client unban --all

Debugging of Fail2Ban:

The loglevel and target are configured in /etc/fail2ban/fail2ban.conf you can also obtain the log level and log target by running:

fail2ban-client get loglevel
fail2ban-client get logtarget

To watch the log for debugging purpose you can run:

tail -f $(fail2ban-client get logtarget | grep "\`" | awk '{ print $2; }')

Fail2ban works by parsing log files using regular expressions, you can test the regular expression by using fail2ban-regex like this:

fail2ban-regex /opt/zimbra/log/mailbox.log /etc/fail2ban/filter.d/zimbra-webmail.conf


Submitted by: Heera Singh Koranga
Verified Against: ZCS 9.0,8.8 Date Created: 2020-12-09
Article ID: https://wiki.zimbra.com/index.php?title=Configure_Fail2Ban_for_Zimbra_Server_with_route_instead_of_iptables_to_block_IPs Date Modified: 2022-07-25



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search