Securing a zimbra server, fail2ban

[batfastad]

Hi everyone

We've been running a very low-traffic Zimbra test installation over our ADSL connection for over a year now with no problems. But I suddenly realised, I don't have fail2ban running on this Zimbra machine to filter any brute-force login attempts made to the Zimbra services.

What sort of security should we be implementing on an internet-facing Zimbra machine?
Has anyone got fail2ban running on a Zimbra installation?
Normally it's very easy to get up and running but with Zimbra the logging formats or locations are very different to that of standard packages that already have fail2ban jail configurations out there.

Does Zimbra have anything like this built-in?
Is there any other security software we should look at installing on our Zimbra machine? I was told that keeping it as "pure" as possible would be the best way forward.

Cheers, B

[Krishopper]

Zimbra has the auto-lock feature, which will accomplish this, but on a much broader spectrum. It will lock an account for X number of minutes/hours after Y number of failed password attempts. That way if it is getting brute-forced from multiple IP's, you're still covered. The account will be automatically unlocked after the specified period of time.

You can find these settings under the Advanced tab of the COS or the Account.

[batfastad]

Great!
And that feature works across all services? So AJAX UI logins, IMAP logins, POP logins etc?

Cheers, B

[phoenix]

Great!
And that feature works across all services? So AJAX UI logins, IMAP logins, POP logins etc?

No, that's a web ui feature. I'd also suggest you implement a strong password policy reduce the likelihood of an attacker getting into an account - see the Admin UI for the tool to set it. Any particular reason you don't have the server behind a firewall of NAT router?

[batfastad]

Ah ok. So people can still attempt brute-forcing over IMAP or POP services.

This machine is actually behind an IPCop firewall box. But the ports for SMTP, HTTPS, SMTP submit and IMAP are open to the internet.

Has anyone had any success installing fail2ban or similar on a Zimbra server?

Cheers, B

[phoenix]

Ah ok. So people can still attempt brute-forcing over IMAP or POP services.

... that would also include the Zimbra Web service but that's also covered by the strong password for the account.

This machine is actually behind an IPCop firewall box. But the ports for SMTP, HTTPS, SMTP submit and IMAP are open to the internet.

I didn't see you mention that, hence the question.

Has anyone had any success installing fail2ban or similar on a Zimbra server?

I believe there are a couple of threads in the forums on that very topic.

[Klug]

I used this one : Succesfull hacking attempts on Zimbra mailboxes (webmail)

[batfastad]

Solved! That's exactly what I wanted. Cheers

[bofh]

i want to reactivate that discussion cause it matches best.


Well 1 Phoenix is WRONG - the policy does actually cover any zimbra service.
so the polices in the webui also works with wrong smtp, pop /impa and so on requests (imap im not so shure but defently SMTP

well about the Rules for fail2ban as good as it looks like i think we got an issue here


2012-07-12 15:23:38,760 WARN [btpool0-608://myzimbra.example.com:7071/service/admin/soap/] [name=account@mail.com;ip=192.168.1.100;] security - cmd=Auth; account=account@mail.com; protocol=soap; error=authentication failed for [aliasof@mail.com], invalid password;


this is the line you get if someone try to bruteforce with smtp , trying to use you as a relay server.

so since it does look exactly like a regular attemp BUT had the IP of the server itself you will locked yourself with those fail2ban rules.


i was thinking further - theres also nother problem then -
since zimbra logs everything theres a high risk fail2ban becomes a higher risk than it could solve
for example

user change his pass in the webui
he forgot to change it in his mobilephone (or zdesktop or whatever)
once he returns in his company and his supersmart phones connectes to wlan .....

you see where iam going too ?? youll lock out the hole company only because of an changed password



the other side of course is thats not good accounts get locked out all the time.
i got a customer how got locked 4 times in 2 days which is anoying for him of course

i was even thinking about let the webui lock it out 2 times and the 3rd time it will be ip lock for 7 days or so...
thing is it still doenst cover the outlook problem

even worse - a lock would look like a server failure and customer blame you while its his fault with a new password


so you see my dillemma (and even yours you might just dont know it yet)

bottom line - we need cruise missles programable by ip adress to really solve the problem
until then iam open for ideas