https://wiki.zimbra.com/api.php?action=feedcontributions&user=LMStone510&feedformat=atomZimbra :: Tech Center - User contributions [en]2024-03-29T04:57:08ZUser contributionsMediaWiki 1.39.0https://wiki.zimbra.com/index.php?title=Configure_Fail2Ban_for_Zimbra_Server_with_route_instead_of_iptables_to_block_IPs&diff=69170Configure Fail2Ban for Zimbra Server with route instead of iptables to block IPs2022-08-18T12:29:52Z<p>LMStone510: /* Installation and Configuration of Fail2Ban */</p>
<hr />
<div>{{BC|Community Sandbox}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
==Configure Fail2Ban for Zimbra Server with route instead of iptables to block IPs==<br />
<hr><br />
{{KB|{{WIP}}|{{ZCS 9.0}}|}} <br />
<hr><br />
<br />
This article is a how-to guide on installing Fail2Ban to block attacking hosts using a null route or blackhole routes. This can help mitigate brute force attacks on Zimbra. Especially brute force attacks on SMTP are very common.<br />
<br />
= Prerequisite: =<br />
<br />
It is required the OIP configuration must be done before configuring Fail2Ban service.<br />
<br />
'''For a Single-Server Setup:'''<br /><br />
If you are running nginx on the same node as the mailstore, you will need to add both 127.0.0.1 and the real IP address of that node:<br />
<br />
<pre>sudo -u zimbra -<br />
zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP {IP of Server}<br />
zmcontrol restart</pre><br />
'''For a Multi-Server Setup:'''<br />
<br />
<pre>sudo -u zimbra -<br />
zmprov mcf +zimbraHttpThrottleSafeIPs {IP of Mailbox-1}<br />
zmprov mcf +zimbraHttpThrottleSafeIPs {IP of Mailbox-2}<br />
zmprov mcf +zimbraMailTrustedIP {IP of Proxy-1}<br />
zmprov mcf +zimbraMailTrustedIP {IP of Proxy-2}<br />
zmcontrol restart</pre><br />
= Installation and Configuration of Fail2Ban =<br />
<br />
'''1)''' Install Fail2Ban Package<br />
<br />
'''On RHEL/CentOS 7/8:'''<br />
<br />
<pre>yum install epel-release -y<br />
yum install fail2ban -y</pre><br />
'''On Ubuntu 18/20:'''<br />
<br />
<pre>apt-get clean all ; apt-get update<br />
apt-get install fail2ban -y</pre><br />
'''2)''' Create a file '''/etc/fail2ban/jail.local''' and it will override the default conf file '''/etc/fail2ban/jail.conf'''.<br /><br />
Add the local IP address of the Zimbra server in '''ignoreip ='''. You can also add other IP addresses to ignore from Fail2Ban checking.<br /><br />
On a multi-server setup, add all server’s IP in ignoreip list.<br />
<br />
<code>nano /etc/fail2ban/jail.local </code><br />
<br />
<pre>[DEFAULT]<br />
# &quot;ignoreip&quot; can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban will not ban a host which matches an address in this list.<br />
# Several addresses can be defined using space (and/or comma) separator.<br />
#ignoreip = 127.0.0.1/8 ::1 10.137.26.29/32<br />
ignoreip = 127.0.0.1/8 &quot;IP-ADDRESS-OF-ZIMBRA-SERVER/32&quot;<br />
<br />
banaction = route</pre><br />
'''3)''' Create a jail file for Zimbra services.<br />
<br />
<code>nano /etc/fail2ban/jail.d/zimbra.local</code><br />
<br />
<pre>[zimbra-smtp]<br />
enabled = true<br />
filter = zimbra-smtp<br />
port = 25,465,587<br />
logpath = /var/log/zimbra.log<br />
maxretry = 3<br />
findtime = 86400<br />
bantime = 86400<br />
action = route<br />
<br />
[zimbra-webmail]<br />
enabled = true<br />
filter = zimbra-webmail<br />
port = 80,443<br />
logpath = /opt/zimbra/log/mailbox.log<br />
maxretry = 3<br />
findtime = 86400<br />
bantime = 86400<br />
action = route<br />
<br />
[zimbra-admin]<br />
enabled = true<br />
filter = zimbra-admin<br />
port = 7071,9071<br />
logpath = /opt/zimbra/log/mailbox.log<br />
maxretry = 3<br />
findtime = 86400<br />
bantime = 86400<br />
action = route</pre><br />
{|<br />
!width="6%"| Property<br />
!width="94%"| Description<br />
|-<br />
| ignoreip<br />
| This parameter identifies IP address that should be ignored by the banning system. By default, this is just set to ignore traffic coming from the machine itself, which is a pretty good setting to have.<br />
|-<br />
| banaction<br />
| This sets the action that will be used when the threshold is reached. There is actually the name of a file located in ’`/etc/fail2ban/action.d/'’ which calls the configured action using the .conf file. Here we configured route which calls route.conf to handle the routing table manipulation to ban an IP address.<br />
|-<br />
| findtime<br />
| This parameter sets the window that fail2ban will pay attention to when looking for repeated failed authentication attempts. The default is set to 600 seconds (10 minutes again), which means that the software will count the number of failed attempts in the last 10 minutes.<br />
|-<br />
| bantime<br />
| This parameter sets the length of a ban, in seconds.<br />
|-<br />
| maxretry<br />
| This sets the number of failed attempts that will be tolerated within the findtime window before a ban is instituted.<br />
|}<br />
<br />
'''4)''' '''[Optional]'''<br /><br />
If you want to apply Fail2Ban for SSH then create jail file '''''sshd.local'''''.<br /><br />
(No need to create filter rules for SSH, Fail2ban by default shipped with filter rules for SSH)<br /><br />
On Ubuntu systems, SSH jail is by default enabled within the jail file &quot;/etc/fail2ban/jail.d/defaults-debian.conf&quot;.<br />
<br />
<code>nano /etc/fail2ban/jail.d/sshd.local</code><br />
<br />
<pre>[sshd]<br />
enabled = true<br />
port = 22<br />
maxretry = 3<br />
findtime = 600<br />
bantime = 3600</pre><br />
'''5)''' Create filters for Zimbra services.<br />
<br />
<code>nano /etc/fail2ban/filter.d/zimbra-webmail.conf </code><br />
<br />
<pre>[Definition]<br />
failregex = .*oip=&lt;HOST&gt;;.*authentication failed for .*$<br />
<br />
ignoreregex =</pre><br />
<code>nano /etc/fail2ban/filter.d/zimbra-smtp.conf</code><br />
<br />
<pre>[Definition]<br />
failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[&lt;HOST&gt;\]: SASL \w+ authentication failed: authentication failure$<br />
postfix\/smtps\/smtpd\[\d+\]: warning: .*\[&lt;HOST&gt;\]: SASL \w+ authentication failed: authentication failure$<br />
<br />
ignoreregex =</pre><br />
<code>nano /etc/fail2ban/filter.d/zimbra-admin.conf</code><br />
<br />
<pre>[Definition]<br />
failregex = .*ip=&lt;HOST&gt;;.*authentication failed for .*$<br />
<br />
ignoreregex =</pre><br />
'''6)''' Restart the Fail2ban service and enable it to start after system reboot.<br />
<br />
<pre>systemctl restart fail2ban<br />
systemctl status fail2ban<br />
systemctl enable fail2ban</pre><br />
'''7)''' Check the status of the Fail2Ban jails.<br />
<br />
<code>fail2ban-client status</code><br />
<br />
The result should be similar to this:<br />
<br />
<pre>[root@centos8 ~]# fail2ban-client status<br />
Status<br />
|- Number of jail: 4<br />
`- Jail list: sshd, zimbra-admin, zimbra-smtp, zimbra-webmail<br />
[root@centos8 ~]#<br />
[root@centos8 ~]# fail2ban-client status sshd<br />
Status for the jail: sshd<br />
|- Filter<br />
| |- Currently failed: 0<br />
| |- Total failed: 14<br />
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd<br />
`- Actions<br />
|- Currently banned: 1<br />
|- Total banned: 2<br />
`- Banned IP list: 10.137.26.29</pre><br />
'''8)''' Check banned IP in routing table.<br />
<br />
<code>ip r</code><br />
<br />
<code>route -n</code><br />
<br />
The result should be similar to this:<br />
<br />
<pre>[root@centos8 ~]# ip r<br />
default via 10.0.10.1 dev ens3<br />
10.0.10.0/24 dev ens3 proto kernel scope link src 10.0.10.67<br />
unreachable 10.137.26.29<br />
[root@centos8 ~]#<br />
[root@centos8 ~]# route -n<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 10.0.10.1 0.0.0.0 UG 0 0 0 ens3<br />
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3<br />
10.137.26.29 - 255.255.255.255 !H 0 - 0 -<br />
[root@centos8 ~]#</pre><br />
'''9)''' Ban and unban an IP manually.<br />
<br />
'''Ban an IP address.'''<br />
<br />
<code>fail2ban-client set &quot;Jail-Name&quot; banip &quot;IP-Address&quot;</code><br />
<br />
'''Example:'''<br />
<br />
<code>fail2ban-client set sshd banip 10.137.26.29</code><br />
<br />
'''Unban an IP address.'''<br />
<br />
<code>fail2ban-client set &quot;Jail-Name&quot; unbanip &quot;Banned IP-Address&quot;</code><br />
<br />
'''Example:'''<br />
<br />
<code>[root@centos8 ~]# fail2ban-client set sshd unbanip 10.137.26.29</code><br />
<br />
'''Unban everyone.'''<br />
<br />
Can be useful when something goes wrong with creating new RegEx filter:<br />
<br />
<code>fail2ban-client unban --all</code><br />
<br />
= Debugging of Fail2Ban: =<br />
<br />
The loglevel and target are configured in <code>/etc/fail2ban/fail2ban.conf</code> you can also obtain the log level and log target by running:<br />
<br />
<pre>fail2ban-client get loglevel<br />
fail2ban-client get logtarget</pre><br />
To watch the log for debugging purpose you can run:<br />
<br />
<pre>tail -f $(fail2ban-client get logtarget | grep &quot;\`&quot; | awk '{ print $2; }')</pre><br />
Fail2ban works by parsing log files using regular expressions, you can test the regular expression by using <code>fail2ban-regex</code> like this:<br />
<br />
<pre>fail2ban-regex /opt/zimbra/log/mailbox.log /etc/fail2ban/filter.d/zimbra-webmail.conf</pre><br />
<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Heera Singh Koranga<br />
|}<br />
{{Article Footer|ZCS 9.0|2020-12-09}}</div>LMStone510