{"id":5082,"date":"2021-02-09T10:51:12","date_gmt":"2021-02-09T13:51:12","guid":{"rendered":"https:\/\/blog.clusterweb.com.br\/?p=5082"},"modified":"2021-02-09T10:51:12","modified_gmt":"2021-02-09T13:51:12","slug":"configure-fail2ban-for-zimbra-server-with-route-instead-of-iptables-to-block-ips","status":"publish","type":"post","link":"https:\/\/blog.clusterweb.com.br\/?p=5082","title":{"rendered":"Configure Fail2Ban for Zimbra Server with route instead of iptables to block IPs"},"content":{"rendered":"

Overview<\/span><\/h2>\n

Install and configure Fail2Ban to block attacking hosts using a null route or blackhole routes.<\/p>\n

\n
PRO:<\/b><\/dt>\n
– Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further).<\/dd>\n
– It’s FAST for very large numbers of blocked ips.<\/dd>\n
– It’s FAST because it Blocks traffic before it enters common iptables chains used for filtering.<\/dd>\n
– It’s per host, ideal as action against ssh password bruteforcing to block further attack attempts.<\/dd>\n
– No additional software required beside iproute\/iproute2<\/dd>\n<\/dl>\n
\n
CON:<\/b><\/dt>\n
– Blocking is per IP and NOT per service, but ideal as action against bruteforcing hosts.<\/dd>\n
<\/dd>\n<\/dl>\n

<\/p>\n

\n

Prerequisite:<\/span><\/h2>\n

It is required the OIP configuration must be done before configuring Fail2Ban service.<\/p>\n

For a Single-Server Setup:<\/b>
\nIf you are running nginx on the same node as the mailstore, you will need to add both 127.0.0.1 and the real IP address of that node:<\/p>\n

su - zimbra \r\nzmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP {IP of Server} \r\nzmcontrol restart \r\n<\/pre>\n
For a Multi-Server Setup:<\/b><\/p>\n
su - zimbra \r\nzmprov mcf +zimbraHttpThrottleSafeIPs {IP of Mailbox-1} \r\nzmprov mcf +zimbraHttpThrottleSafeIPs {IP of Mailbox-2} \r\nzmprov mcf +zimbraMailTrustedIP {IP of Proxy-1} \r\nzmprov mcf +zimbraMailTrustedIP {IP of Proxy-2} \r\nzmcontrol restart\r\n<\/pre>\n
\n
Installation and Configuration of Fail2Ban:<\/span><\/h2>\n
1)<\/b>\u00a0Install Fail2Ban Package<\/p>\n
\n
On RHEL\/CentOS 7\/8:<\/b><\/dt>\n<\/dl>\n
yum install epel-release -y  \r\nyum install fail2ban -y\r\n<\/pre>\n
\n
On Ubuntu 16\/18:<\/b><\/dt>\n<\/dl>\n
apt-get clean all\u00a0; apt-get update \r\napt-get install fail2ban -y \r\n<\/pre>\n
2)<\/b>\u00a0Create a file\u00a0“\/etc\/fail2ban\/jail.local”<\/b>\u00a0and it will override the default conf file “\/etc\/fail2ban\/jail.conf”<\/b>.
\nAdd the local IP address of the Zimbra server in\u00a0“ignoreip =”<\/b>. You can also add other IP addresses to ignore from Fail2Ban checking.
\nOn a multi-server setup, add all server’s IP in ignoreip list.<\/p>\n
vim \/etc\/fail2ban\/jail.local \r\n<\/pre>\n
[DEFAULT] \r\n# \"ignoreip\" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban will not ban a host which matches an address in this list. \r\n# Several addresses can be defined using space (and\/or comma) separator.\r\n#ignoreip = 127.0.0.1\/8\u00a0::1 10.137.26.29\/32\r\nignoreip = 127.0.0.1\/8 \"IP-ADDRESS-OF-ZIMBRA-SERVER\/32\" \r\n\r\nbanaction = route\r\n\r\n# A host is banned if it has generated \"maxretry\" during the last \"findtime\" seconds.\r\n# 10 minute (in seconds)\r\n#findtime  = 600\r\n\r\n# \"bantime\" is the number of seconds that a host is banned.\r\n# 10 hour (in seconds)\r\n#bantime  = 3600\r\n\r\n# \"maxretry\" is the number of failures before a host get banned.\r\n#maxretry = 5\r\n<\/pre>\n\n\n\n\n\n\n\n
ignoreip:<\/b><\/td>\nThis parameter identifies IP address that should be ignored by the banning system. By default, this is just set to ignore traffic coming from the machine itself, which is a pretty good setting to have.<\/td>\n<\/tr>\n
banaction:<\/b><\/td>\nThis sets the action that will be used when the threshold is reached. There is actually the name of a file located in\u00a0\/etc\/fail2ban\/action.d\/<\/b><\/i>\u00a0which calls the configured action using the .conf file.Here we configured\u00a0route<\/b>\u00a0which calls route.conf to handle the routing table manipulation to ban an IP address.<\/td>\n<\/tr>\n
findtime:<\/b><\/td>\nThis parameter sets the window that fail2ban will pay attention to when looking for repeated failed authentication attempts. The default is set to 600 seconds (10 minutes again), which means that the software will count the number of failed attempts in the last 10 minutes.<\/td>\n<\/tr>\n
bantime:<\/b><\/td>\nThis parameter sets the length of a ban, in seconds. The default is 600 seconds, or 10 minutes.<\/td>\n<\/tr>\n
maxretry:<\/b><\/td>\nThis sets the number of failed attempts that will be tolerated within the findtime window before a ban is instituted.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
3)<\/b>\u00a0Create a jail file for Zimbra services.<\/p>\n
vim \/etc\/fail2ban\/jail.d\/zimbra.local\r\n<\/pre>\n
[zimbra-smtp]\r\nenabled = true\r\nfilter = zimbra-smtp\r\nport = 25,465,587\r\nlogpath = \/var\/log\/zimbra.log\r\nmaxretry = 3\r\nfindtime = 600\r\nbantime = 3600\r\n\r\n[zimbra-webmail]\r\nenabled = true\r\nfilter = zimbra-webmail\r\nport = 80,443\r\nlogpath = \/opt\/zimbra\/log\/mailbox.log\r\nmaxretry = 3\r\nfindtime = 600\r\nbantime = 3600\r\n\r\n[zimbra-admin]\r\nenabled = true\r\nfilter = zimbra-admin\r\nport = 7071,9071\r\nlogpath = \/opt\/zimbra\/log\/mailbox.log\r\nmaxretry = 3\r\nfindtime = 600\r\nbantime = 3600\r\n<\/pre>\n
4)<\/b>\u00a0[Optional]<\/b>
\nIf you want to apply Fail2Ban for SSH then create jail file\u00a0sshd.local<\/b><\/i>.
\n(No need to create filter rules for SSH, Fail2ban by default shipped with filter rules for SSH)
\nOn Ubuntu systems, SSH jail is by default enabled within the jail file “\/etc\/fail2ban\/jail.d\/defaults-debian.conf”.<\/p>\n
vim \/etc\/fail2ban\/jail.d\/sshd.local\r\n<\/pre>\n
[sshd]\r\nenabled = true\r\nport = 22\r\nmaxretry = 3\r\nfindtime = 600\r\nbantime = 3600\r\n<\/pre>\n
5)<\/b>\u00a0Create filters for Zimbra services.<\/p>\n
vim \/etc\/fail2ban\/filter.d\/zimbra-webmail.conf \r\n<\/pre>\n
[Definition]\r\n#\r\nfailregex = \\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$\r\n            INFO .*;oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, invalid password$\r\n\r\nignoreregex =\r\n<\/pre>\n
vim \/etc\/fail2ban\/filter.d\/zimbra-smtp.conf \r\n<\/pre>\n
[Definition]\r\n#\r\nfailregex = postfix\\\/submission\\\/smtpd\\[\\d+\\]: warning: .*\\[<HOST>\\]: SASL \\w+ authentication failed: authentication failure$\r\n            postfix\\\/smtps\\\/smtpd\\[\\d+\\]: warning: .*\\[<HOST>\\]: SASL \\w+ authentication failed: authentication failure$\r\n\r\nignoreregex =\r\n<\/pre>\n
vim \/etc\/fail2ban\/filter.d\/zimbra-admin.conf\r\n<\/pre>\n
[Definition]\r\n#\r\nfailregex = INFO .*;ip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, invalid password$\r\n            INFO .*ip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$\r\n\r\nignoreregex =\r\n<\/pre>\n
6)<\/b>\u00a0Restart the Fail2ban service and enable it to start after system reboot.<\/p>\n
systemctl restart fail2ban \r\nsystemctl status fail2ban \r\nsystemctl enable fail2ban \r\n<\/pre>\n
7)<\/b>\u00a0Check the status of the Fail2Ban jails.<\/p>\n
fail2ban-client status\r\n<\/pre>\n
The result should be similar to this:
\nExample:<\/b><\/p>\n
[root@centos8 ~]# fail2ban-client status\r\nStatus\r\n|- Number of jail:      4\r\n`- Jail list:   sshd, zimbra-admin, zimbra-smtp, zimbra-webmail\r\n[root@centos8 ~]# \r\n<\/pre>\n
[root@centos8 ~]# fail2ban-client status sshd \r\nStatus for the jail: sshd\r\n|- Filter\r\n|  |- Currently failed: 0\r\n|  |- Total failed:     14\r\n|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd\r\n`- Actions\r\n   |- Currently banned: 1\r\n   |- Total banned:     2\r\n   `- Banned IP list:   10.137.26.29\r\n<\/pre>\n
\n
8)<\/b>\u00a0Check banned IP in routing table.<\/p>\n
ip r\r\n<\/pre>\n
route -n\r\n<\/pre>\n
The result should be similar to this:
\nExample:<\/b><\/p>\n
[root@centos8 ~]# ip r\r\ndefault via 10.0.10.1 dev ens3\r\n10.0.10.0\/24 dev ens3  proto kernel  scope link  src 10.0.10.67\r\nunreachable 10.137.26.29\r\n[root@centos8 ~]# \r\n<\/pre>\n
[root@centos8 ~]# route -n\r\nKernel IP routing table\r\nDestination     Gateway         Genmask         Flags Metric Ref    Use Iface\r\n0.0.0.0         10.0.10.1       0.0.0.0         UG    0      0        0 ens3\r\n10.0.10.0       0.0.0.0         255.255.255.0   U     0      0        0 ens3\r\n10.137.26.29 \t-               255.255.255.255\u00a0!H    0      -        0 -\r\n[root@centos8 ~]# \r\n<\/pre>\n
9)<\/b>\u00a0Ban and unban an IP manually.<\/p>\n
\n
Ban an IP address.<\/b><\/dt>\n<\/dl>\n
fail2ban-client set \"Jail-Name\" banip \"IP-Address\"  \r\n<\/pre>\n
Example:<\/b><\/p>\n
fail2ban-client set sshd banip 10.137.26.29  \r\n<\/pre>\n
\n
Unban an IP address.<\/b><\/dt>\n<\/dl>\n
fail2ban-client set \"Jail-Name\" unbanip \"Banned IP-Address\"\r\n<\/pre>\n
Example:<\/b><\/p>\n
[root@centos8 ~]# fail2ban-client set sshd unbanip 10.137.26.29<\/pre>\n","protected":false},"excerpt":{"rendered":"
Overview Install and configure Fail2Ban to block attacking hosts using a null route or blackhole routes. PRO: – Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further). – It’s FAST for very large numbers of blocked ips. – It’s FAST because it Blocks traffic before it enters […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[455,1082,730,1,830,725,42,51,495,68,271,74,548,896],"tags":[1531,292,1523,1306,1530,1335,117,1148,1529,759,921,983,134],"class_list":["post-5082","post","type-post","status-publish","format-standard","hentry","category-apache2","category-centos-7-rhel-7","category-clusterweb","category-viazap","category-debian","category-hospedagem","category-leitura-recomendada","category-linux-linuxrs","category-profissional-de-ti","category-redes-2","category-seguranca-2","category-servidor-de-e-mail","category-ubuntu-2","category-zimbra","tag-block","tag-configure","tag-fail2ban","tag-for","tag-instead","tag-ips","tag-iptables","tag-of","tag-route","tag-server","tag-to","tag-with","tag-zimbra"],"_links":{"self":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/5082","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5082"}],"version-history":[{"count":1,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/5082\/revisions"}],"predecessor-version":[{"id":5083,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/5082\/revisions\/5083"}],"wp:attachment":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5082"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5082"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5082"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}