How to configure firewall and fail2ban for prevent “brute force attack” Zimbra 8.6 on Ubuntu (Server) 14.04 LTS Step-by-Step

Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally for example, iptables or TCP Wrapper. Fail2ban operates by monitoring log files for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It can ban any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. I’ll be logged in as root.

Step 1 – Update repositories.

root@mail:/# apt-get update
root@mail:/# apt-get upgrade

Step 2 – Install fail2ban.

root@mail:/# apt-get install fail2ban

Step 3 – Backup this file.

root@mail:/# cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports.conf.backup

Step 4 – Open this file /etc/fail2ban/action.d/iptables-allports.conf.

root@mail:/# nano /etc/fail2ban/action.d/iptables-allports.conf

Step 5 – Reload the ban Ip Address after restart. In the /etc/fail2ban/action.d/iptables-allports.conf file you must remove everything from this file and copy and paste this script.

# Fail2Ban configuration file
#
# Author: Martin Slavov
# made active on all ports from original iptables.conf
#
# $Revision: 658 $
#

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I INPUT -p -j fail2ban-
if [ -f /etc/fail2ban/ip.blacklist ]; then cat /etc/fail2ban/ip.blacklist | grep -e $ | cut -d “,” -s -f 1 | while read IP; do iptables -I fail2ban- 1 -s $IP -j DROP; done; fi
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D INPUT -p -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
# number of failures
# unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban- 1 -s -j DROP
if ! grep -Fxq ‘,‘ /etc/fail2ban/ip.blacklist; then echo ‘,‘ >> /etc/fail2ban/ip.blacklist; fi
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
# number of failures
# unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban- -s -j DROP

[Init]

# Defaut name of the chain
#
name = default

# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

Step 6 – Open this file /etc/fail2ban/jail.conf.

root@mail:/# nano /etc/fail2ban/jail.conf

Step 7 – Add the rules for Zimbra at the end of file.

########################
###Zimbra Mail
#######################
[zimbra-account]

enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-account]
sendmail[name=Zimbra-account, dest=mslavov@linux-sys-adm.com]
logpath = /opt/zimbra/log/mailbox.log
bantime = -1
maxretry = 4

[zimbra-audit]

enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
sendmail[name=Zimbra-audit, dest=mslavov@linux-sys-adm.com]
logpath = /opt/zimbra/log/audit.log
bantime = -1
maxretry = 2

[postfix]

enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=mslavov@linux-sys-adm.com]
logpath = /var/log/maillog
bantime = -1
maxretry = 5

Step 8 – Create file in which we will save the banned ip address, after restart the script who we add before will ban again.

root@mail:/# touch /etc/fail2ban/ip.blacklist

Step 9 – Create file in which we will save the filer rules for zimbra.

root@mail:/# touch /etc/fail2ban/filter.d/zimbra.conf

Step 10 – Open the file and include the rules.This script work for Zimbra 8.X. for earlier version you have to use this script.

# Fail2Ban configuration file
#
# Author: Martin Slavovo

[Definition]

failregex = \[ip=<HOST>;\] account – authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security – cmd=Auth; .* error=authentication failed for .*, invalid password;$
\[ip=<HOST>;\] security – cmd=AdminAuth; .* error=authentication failed for .*, invalid password;$
\[ip=<HOST>;\] security – cmd=Auth; .* error=authentication failed for .*, account lockout$
\[ip=<HOST>;\] account – authentication failed for .* \(account lockout\)$
;oip=<HOST>;.* security – cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine – handler exception: authentication failed for .*, account not found$
WARN .*ip=<HOST>;ua=ZimbraWebClient .* security – cmd=AdminAuth; .* error=authentication failed for .*;$
INFO .*ip=<HOST>;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

ignoreregex =

Step 11 – Create file in which we will save the banned ip address, after restart the script who we add before will ban again.

root@mail:/# service fail2ban restart

Step 12 – Show fail2ban actives rules.

Step 13 – Show fail2ban tables and realtime status.

If you want to remove and add ip address from tables you have to read Theme 3 and Theme 4.

17 ThemeHow to configure apache2 and Zimbra together/same host on Ubuntu (Server) 14.04 LTS Step-by-Step

3 thoughts on “How to configure firewall and fail2ban for prevent “brute force attack” Zimbra 8.6 on Ubuntu (Server) 14.04 LTS Step-by-Step

  1. Hello, Martin
    I think “iptables-allports.conf” file you published is damaged:
    1) missing after fai2ban-
    2) missing after -s
    3) missing after -p
    4) …
    Also leading blanks are missing in lines
    after actionstar =, actionstop = and so on.

    Publish correct file please.

    Thanks,
    Eduardas

    • Hi ,Eduardas,

      Everything works correctly. The config file above is correct.

      How can I help you.

      Best Regards,
      Martin

  2. I can’t write correct tags here in your site.
    They are deleted (like in your script).
    fail2ban-‘name’
    -s ‘ip’
    -p ‘protocol’

    Eduardas

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
Website