How to configure firewall and fail2ban for prevent “brute force attack” Zimbra 8.6 on Ubuntu (Server) 14.04 LTS Step-by-Step

Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally for example, iptables or TCP Wrapper. Fail2ban operates by monitoring log files for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It can ban any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. I’ll be logged in as root.
Step 1 – Update repositories.

root@mail:/# apt-get update

root@mail:/# apt-get upgrade

Step 2 – Install fail2ban.

root@mail:/# apt-get install fail2ban

Step 3 – Backup this file.

root@mail:/# cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports.conf.backup

Step 4 – Open this file /etc/fail2ban/action.d/iptables-allports.conf.

root@mail:/# nano /etc/fail2ban/action.d/iptables-allports.conf

Step 5 – Reload the ban Ip Address after restart. In the /etc/fail2ban/action.d/iptables-allports.conf file you must remove everything from this file and copy and paste this script.

# Fail2Ban configuration file # # Author: Martin Slavov # made active on all ports from original iptables.conf # # $Revision: 658 $ #
[Definition]
# Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN iptables -I INPUT -p -j fail2ban- if [ -f /etc/fail2ban/ip.blacklist ]; then cat /etc/fail2ban/ip.blacklist | grep -e $ | cut -d “,” -s -f 1 | while read IP; do iptables -I fail2ban- 1 -s $IP -j DROP; done; fi # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -p -j fail2ban- iptables -F fail2ban- iptables -X fail2ban-
# Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban-
# Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address # number of failures # unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban- 1 -s -j DROP if ! grep -Fxq ‘,‘ /etc/fail2ban/ip.blacklist; then echo ‘,‘ >> /etc/fail2ban/ip.blacklist; fi # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address # number of failures # unix timestamp of the ban time # Values: CMD # actionunban = iptables -D fail2ban- -s -j DROP
[Init]
# Defaut name of the chain # name = default
# Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp

Step 6 – Open this file /etc/fail2ban/jail.conf.

root@mail:/# nano /etc/fail2ban/jail.conf

Step 7 – Add the rules for Zimbra at the end of file.

######################## ###Zimbra Mail ####################### [zimbra-account]
enabled = true filter = zimbra action = iptables-allports[name=Zimbra-account] sendmail[name=Zimbra-account, dest=mslavov@linux-sys-adm.com] logpath = /opt/zimbra/log/mailbox.log bantime = -1 maxretry = 4
[zimbra-audit]
enabled = true filter = zimbra action = iptables-allports[name=Zimbra-audit] sendmail[name=Zimbra-audit, dest=mslavov@linux-sys-adm.com] logpath = /opt/zimbra/log/audit.log bantime = -1 maxretry = 2
[postfix]
enabled = true filter = postfix action = iptables-multiport[name=Postfix, port=smtp, protocol=tcp] sendmail-buffered[name=Postfix, dest=mslavov@linux-sys-adm.com] logpath = /var/log/maillog bantime = -1 maxretry = 5

Step 8 – Create file in which we will save the banned ip address, after restart the script who we add before will ban again.

root@mail:/# touch /etc/fail2ban/ip.blacklist

Step 9 – Create file in which we will save the filer rules for zimbra.

root@mail:/# touch /etc/fail2ban/filter.d/zimbra.conf

Step 10 – Open the file and include the rules.This script work for Zimbra 8.X. for earlier version you have to use this script.

# Fail2Ban configuration file # # Author: Martin Slavovo
[Definition]
failregex = \[ip=<HOST>;\] account – authentication failed for .* \(no such account\)$ \[ip=<HOST>;\] security – cmd=Auth; .* error=authentication failed for .*, invalid password;$ \[ip=<HOST>;\] security – cmd=AdminAuth; .* error=authentication failed for .*, invalid password;$ \[ip=<HOST>;\] security – cmd=Auth; .* error=authentication failed for .*, account lockout$ \[ip=<HOST>;\] account – authentication failed for .* \(account lockout\)$ ;oip=<HOST>;.* security – cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$ \[oip=<HOST>;.* SoapEngine – handler exception: authentication failed for .*, account not found$ WARN .*ip=<HOST>;ua=ZimbraWebClient .* security – cmd=AdminAuth; .* error=authentication failed for .*;$ INFO .*ip=<HOST>;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$ NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:
ignoreregex =

Step 11 – Create file in which we will save the banned ip address, after restart the script who we add before will ban again.

root@mail:/# service fail2ban restart

Step 12 – Show fail2ban actives rules.

Step 13 – Show fail2ban tables and realtime status.

Posts Contents: – Download More Blogspot contents(Posts) for you site