Zimbra + Fail2ban

Irei detalhar de forma bem pratica e funcional, pronto para já funcionar Fail2ban com Zimbra 8.8.x
  • Instale o fail2ban seguindo as instruções da sua distribuição – (Versão 0.9.6 pra cima)
Após instalado e sabendo que esta iniciando corretamente (por padrão) faça as devidas configurações.

mv /etc/fail2ban/jail.d/defaults-debian.conf /etc/fail2ban/jail.d/defaults-debian.conf.bkp
mv /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bkp
vim /etc/fail2ban/jail.conf



# ===============================================================================================================
# Fail2Ban Arquivo de Configuração

#[INCLUDES]
#before = paths-debian.conf

[DEFAULT]
ignoreip = localhost IP/NOME-DA-REDE
# Bloqueia por 7 dias
bantime = 604800
# Permanece registrado por 12 horas
findtime = 43200
# No maximo 10 tentativas
maxretry = 10
usedns = warn
backend = auto

#logencoding = auto
#enabled = false
#filter = %(__name__)s
mta = sendmail
#protocol = tcp
chain = INPUT
port = 0:65535

destemail = E-MAIL@DOMAIN
sendername = Fail2Ban
# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]

# ===============================================================================================================

[sshd]
enabled = true
filter = sshd
action = iptables-multiport[name=SSH, port="22,1804", protocol=tcp]
sendmail[name=SSH, dest=E-MAIL@DOMAIN]
logpath = /var/log/auth.log
maxretry = 1

[zimbra-smtp]
enabled = true
filter = zimbra-smtp
action = iptables-multiport[name=Zimbra-SMTP, port="25,465,587", protocol=tcp]
sendmail[name=Zimbra-SMTP, dest=E-MAIL@DOMAIN]
logpath = /var/log/zimbra.log

[zimbra-pop]
enabled = true
filter = zimbra-pop
action = iptables-multiport[name=Zimbra-POP, port="110,995", protocol=tcp]
sendmail[name=Zimbra-POP, dest=E-MAIL@DOMAIN]
logpath = /opt/zimbra/log/mailbox.log
/opt/zimbra/log/audit.log

[zimbra-imap]
enabled = true
filter = zimbra-imap
action = iptables-multiport[name=Zimbra-IMAP, port="143,993", protocol=tcp]
sendmail[name=Zimbra-IMAP, dest=E-MAIL@DOMAIN]
logpath = /opt/zimbra/log/mailbox.log
/opt/zimbra/log/audit.log

[zimbra-webmail]
enabled = true
filter = zimbra-webmail
action = iptables-multiport[name=Zimbra-Webmail, port="80,443", protocol=tcp]
sendmail[name=Zimbra-Webmail, dest=E-MAIL@DOMAIN]
logpath = /opt/zimbra/log/mailbox.log

[zimbra-admin]
enabled = true
filter = zimbra-admin
action = iptables-multiport[name=Zimbra-Admin, port="80,443,7071", protocol=tcp]
sendmail[name=Zimbra-Admin, dest=E-MAIL@DOMAIN]
logpath = /opt/zimbra/log/mailbox.log
# ===============================================================================================================

vim /etc/fail2ban/filter.d/zimbra-smtp.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração - ZIMBRA-SMTP

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
(?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/ ]*)?$

ignoreregex =
# ===============================================================================================================

vim /etc/fail2ban/filter.d/zimbra-imap.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração - ZIMBRA-IMAP

[Definition]

failregex = .*Imap.*ip=<HOST>;.*error=authentication failed for .*
.*Imap.*ip=<HOST>;.*account - authentication failed for .*

ignoreregex =
# ===============================================================================================================

vim /etc/fail2ban/filter.d/zimbra-pop.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração - ZIMBRA-POP

[Definition]

failregex = .*Pop.*ip=<HOST>;.*error=authentication failed for .*
.*Pop.*ip=<HOST>;.*account - authentication failed for .*

ignoreregex =
# ===============================================================================================================

vim /etc/fail2ban/filter.d/zimbra-webmail.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração - ZIMBRA-WEBMAIL

[Definition]

failregex = .*ip=<HOST>;ua=zclient.*authentication failed for .*

ignoreregex =
# ===============================================================================================================

vim /etc/fail2ban/filter.d/zimbra-admin.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração - ZIMBRA-ADMIN

[Definition]

failregex = .*ip=<HOST>;port=.*;ua=ZimbraWebClient .* authentication failed for .*

ignoreregex =
# ===============================================================================================================

mv /etc/fail2ban/action.d/sendmail.conf /etc/fail2ban/action.d/sendmail.conf.bkp
vim /etc/fail2ban/action.d/sendmail.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração - SENDMAIL

[INCLUDES]

before = sendmail-common.conf

[Definition]

actionstart = printf %%b "Subject: [Fail2Ban] <name>: iniciou em `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
Olá,\n
O jail <name> foi iniciado com sucesso.\n
Saudações,\n
Fail2Ban" | /opt/zimbra/common/sbin/sendmail -f <sender> <dest>

actionstop = printf %%b "Subject: [Fail2Ban] <name>: parou em `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
Olá,\n
O jail <name> foi parado.\n
Saudações,\n
Fail2Ban" | /opt/zimbra/common/sbin/sendmail -f <sender> <dest>

actioncheck =

actionban = printf %%b "Subject: [Fail2Ban] <name>: banido <ip> de `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
Olá,\n
O IP <ip> acaba de ser banido por Fail2Ban depois de
<failures> tentativas contra <name>.\n
Saudações,\n
Fail2Ban" | /opt/zimbra/common/sbin/sendmail -f <sender> <dest>

actionunban = printf %%b "Subject: [Fail2Ban] <name>: desbanido <ip> de `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
Olá,\n
O IP <ip> acaba de ser desbanido contra <name>.\n
Saudações,\n
Fail2Ban" | /opt/zimbra/common/sbin/sendmail -f <sender> <dest>

[Init]

name = default
# ===============================================================================================================

service fail2ban restart ; fail2ban-client status ; tail -f /var/log/fail2ban.log
Rolar para cima