Irei detalhar de forma bem pratica e funcional, pronto para já funcionar Fail2ban com Zimbra 8.8.x
Após instalado e sabendo que esta iniciando corretamente (por padrão) faça as devidas configurações.
mv /etc/fail2ban/jail.d/defaults-debian.conf /etc/fail2ban/jail.d/defaults-debian.conf.bkp
mv /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bkp
vim /etc/fail2ban/jail.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração
#[INCLUDES]
#before = paths-debian.conf
[DEFAULT]
ignoreip = localhost IP/NOME-DA-REDE
# Bloqueia por 7 dias
bantime = 604800
# Permanece registrado por 12 horas
findtime = 43200
# No maximo 10 tentativas
maxretry = 10
usedns = warn
backend = auto
#logencoding = auto
#enabled = false
#filter = %(__name__)s
mta = sendmail
#protocol = tcp
chain = INPUT
port = 0:65535
destemail = E-MAIL@DOMAIN
sendername = Fail2Ban
# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]
# ===============================================================================================================
[sshd]
enabled = true
filter = sshd
action = iptables-multiport[name=SSH, port="22,1804", protocol=tcp]
sendmail[name=SSH, dest=E-MAIL@DOMAIN]
logpath = /var/log/auth.log
maxretry = 1
[zimbra-smtp]
enabled = true
filter = zimbra-smtp
action = iptables-multiport[name=Zimbra-SMTP, port="25,465,587", protocol=tcp]
sendmail[name=Zimbra-SMTP, dest=E-MAIL@DOMAIN]
logpath = /var/log/zimbra.log
[zimbra-pop]
enabled = true
filter = zimbra-pop
action = iptables-multiport[name=Zimbra-POP, port="110,995", protocol=tcp]
sendmail[name=Zimbra-POP, dest=E-MAIL@DOMAIN]
logpath = /opt/zimbra/log/mailbox.log
/opt/zimbra/log/audit.log
[zimbra-imap]
enabled = true
filter = zimbra-imap
action = iptables-multiport[name=Zimbra-IMAP, port="143,993", protocol=tcp]
sendmail[name=Zimbra-IMAP, dest=E-MAIL@DOMAIN]
logpath = /opt/zimbra/log/mailbox.log
/opt/zimbra/log/audit.log
[zimbra-webmail]
enabled = true
filter = zimbra-webmail
action = iptables-multiport[name=Zimbra-Webmail, port="80,443", protocol=tcp]
sendmail[name=Zimbra-Webmail, dest=E-MAIL@DOMAIN]
logpath = /opt/zimbra/log/mailbox.log
[zimbra-admin]
enabled = true
filter = zimbra-admin
action = iptables-multiport[name=Zimbra-Admin, port="80,443,7071", protocol=tcp]
sendmail[name=Zimbra-Admin, dest=E-MAIL@DOMAIN]
logpath = /opt/zimbra/log/mailbox.log
# ===============================================================================================================
vim /etc/fail2ban/filter.d/zimbra-smtp.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração - ZIMBRA-SMTP
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
(?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/ ]*)?$
ignoreregex =
# ===============================================================================================================
vim /etc/fail2ban/filter.d/zimbra-imap.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração - ZIMBRA-IMAP
[Definition]
failregex = .*Imap.*ip=<HOST>;.*error=authentication failed for .*
.*Imap.*ip=<HOST>;.*account - authentication failed for .*
ignoreregex =
# ===============================================================================================================
vim /etc/fail2ban/filter.d/zimbra-pop.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração - ZIMBRA-POP
[Definition]
failregex = .*Pop.*ip=<HOST>;.*error=authentication failed for .*
.*Pop.*ip=<HOST>;.*account - authentication failed for .*
ignoreregex =
# ===============================================================================================================
vim /etc/fail2ban/filter.d/zimbra-webmail.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração - ZIMBRA-WEBMAIL
[Definition]
failregex = .*ip=<HOST>;ua=zclient.*authentication failed for .*
ignoreregex =
# ===============================================================================================================
vim /etc/fail2ban/filter.d/zimbra-admin.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração - ZIMBRA-ADMIN
[Definition]
failregex = .*ip=<HOST>;port=.*;ua=ZimbraWebClient .* authentication failed for .*
ignoreregex =
# ===============================================================================================================
mv /etc/fail2ban/action.d/sendmail.conf /etc/fail2ban/action.d/sendmail.conf.bkp
vim /etc/fail2ban/action.d/sendmail.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração - SENDMAIL
[INCLUDES]
before = sendmail-common.conf
[Definition]
actionstart = printf %%b "Subject: [Fail2Ban] <name>: iniciou em `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
Olá,\n
O jail <name> foi iniciado com sucesso.\n
Saudações,\n
Fail2Ban" | /opt/zimbra/common/sbin/sendmail -f <sender> <dest>
actionstop = printf %%b "Subject: [Fail2Ban] <name>: parou em `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
Olá,\n
O jail <name> foi parado.\n
Saudações,\n
Fail2Ban" | /opt/zimbra/common/sbin/sendmail -f <sender> <dest>
actioncheck =
actionban = printf %%b "Subject: [Fail2Ban] <name>: banido <ip> de `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
Olá,\n
O IP <ip> acaba de ser banido por Fail2Ban depois de
<failures> tentativas contra <name>.\n
Saudações,\n
Fail2Ban" | /opt/zimbra/common/sbin/sendmail -f <sender> <dest>
actionunban = printf %%b "Subject: [Fail2Ban] <name>: desbanido <ip> de `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
Olá,\n
O IP <ip> acaba de ser desbanido contra <name>.\n
Saudações,\n
Fail2Ban" | /opt/zimbra/common/sbin/sendmail -f <sender> <dest>
[Init]
name = default
# ===============================================================================================================
service fail2ban restart ; fail2ban-client status ; tail -f /var/log/fail2ban.log
Morning Mate,
I am trying to apply the above filter to my fail2ban however copy and paste mess the whole template.
If possible can you share all the filter files (zimbra-pop.conf, zimbra-admin.conf, zimbra-imap.conf, zimbra-smtp.conf, zimbra-webmail.conf) directly with me?
Use Notepad ++ to copy the rules, and then use the “vi” in your linux
Thanks for the reply Thiago, mate I have used notepad++ but no luck. If possible are you able to share original filter via email please. Or I if you share your email I can send you the files and compare with original you’ve got.
I tried in several ways, and they all worked fine by copying text, and sending to Notepad ++
Thiago, I still cant get them to work. I have uploaded them on my nextcloud accessed via below link including log error file.
The folder allows documents upload so if you want copy and paste your working copy and I can compare and test again.
Link: https://nxcloud.virtualhub.com.au/s/tpnwmLsB7kqDa72
Password: ZimBrasil
Estou tentando bloquear estes tipo de acesso e não estou conseguindo, pode me ajudar,
Apr 12 21:02:32 mail-server saslauthd[4836]: zmpost: url=’https://mail.server.com.br:7071/service/admin/soap/’ returned buffer->data=’soap:Senderauthentication failed for [volmar]
account.AUTH_FAILED
qtp2054798982-64793:https://127.0.0.1:7071/service/admin/soap/:1555113752751:848f46c2a1bff0ff‘, hti->error=”Apr 12 21:02:32 mail-server saslauthd[4836]: auth_zimbra: volmar auth failed: authentication failed for [volmar]
Apr 12 21:02:32 mail-server saslauthd[4836]: do_auth : auth failure: [user=volmar] [service=smtp] [realm=] [mech=zimbra] [reason=Unknown]
Apr 12 21:02:32 mail-server postfix/submission/smtpd[27093]: warning: SASL authentication failure: Password verification failed
Apr 12 21:02:32 mail-server postfix/submission/smtpd[27093]: warning: unknown[193.57.40.242]: SASL PLAIN authentication failed: authentication failure
Any updates Thiago
por linha de comando
echo “test” | /opt/zimbra/common/sbin/sendmail -t root@domain.com funciona, mais o fail2ban nao esta enviando.
Verifica se na configuração do fail2ban está correto o sender e dest emails.
destemail = seu_email@seu_dominio.com
e o
sender = fail2ban@dominio.com (troca por algum email valido do seu dominio tipo o admin@seudominio.com)
Verifica também se você está com o sendmail instalado ou qual o mta que está habilitado para enviar o email. Dá uma olhada numa instalação genérica -> https://www.linode.com/docs/security/using-fail2ban-to-secure-your-server-a-tutorial/