Results 1 to 10 of 10

Thread: Securing a zimbra server, fail2ban

  1. #1
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    296
    Rep Power
    7

    Question [SOLVED] Securing a zimbra server, fail2ban

    Hi everyone

    We've been running a very low-traffic Zimbra test installation over our ADSL connection for over a year now with no problems. But I suddenly realised, I don't have fail2ban running on this Zimbra machine to filter any brute-force login attempts made to the Zimbra services.

    What sort of security should we be implementing on an internet-facing Zimbra machine?
    Has anyone got fail2ban running on a Zimbra installation?
    Normally it's very easy to get up and running but with Zimbra the logging formats or locations are very different to that of standard packages that already have fail2ban jail configurations out there.

    Does Zimbra have anything like this built-in?
    Is there any other security software we should look at installing on our Zimbra machine? I was told that keeping it as "pure" as possible would be the best way forward.

    Cheers, B
    Last edited by batfastad; 08-19-2011 at 05:07 AM.
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  2. #2
    Krishopper is offline Dedicated Member
    Join Date
    Dec 2006
    Location
    Minneapolis MN
    Posts
    777
    Rep Power
    9

    Default

    Zimbra has the auto-lock feature, which will accomplish this, but on a much broader spectrum. It will lock an account for X number of minutes/hours after Y number of failed password attempts. That way if it is getting brute-forced from multiple IP's, you're still covered. The account will be automatically unlocked after the specified period of time.

    You can find these settings under the Advanced tab of the COS or the Account.
    01 Networks, LLC / Cybernetik.net
    Zimbra NE and OSS Cloud Hosting
    Shared Web Hosting
    Consulting Services

  3. #3
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    296
    Rep Power
    7

    Default

    Great!
    And that feature works across all services? So AJAX UI logins, IMAP logins, POP logins etc?

    Cheers, B
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,505
    Rep Power
    57

    Default

    Quote Originally Posted by batfastad View Post
    Great!
    And that feature works across all services? So AJAX UI logins, IMAP logins, POP logins etc?
    No, that's a web ui feature. I'd also suggest you implement a strong password policy reduce the likelihood of an attacker getting into an account - see the Admin UI for the tool to set it. Any particular reason you don't have the server behind a firewall of NAT router?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    296
    Rep Power
    7

    Default

    Ah ok. So people can still attempt brute-forcing over IMAP or POP services.

    This machine is actually behind an IPCop firewall box. But the ports for SMTP, HTTPS, SMTP submit and IMAP are open to the internet.

    Has anyone had any success installing fail2ban or similar on a Zimbra server?

    Cheers, B
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  6. #6
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,505
    Rep Power
    57

    Default

    Quote Originally Posted by batfastad View Post
    Ah ok. So people can still attempt brute-forcing over IMAP or POP services.
    ... that would also include the Zimbra Web service but that's also covered by the strong password for the account.

    Quote Originally Posted by batfastad View Post
    This machine is actually behind an IPCop firewall box. But the ports for SMTP, HTTPS, SMTP submit and IMAP are open to the internet.
    I didn't see you mention that, hence the question.

    Quote Originally Posted by batfastad View Post
    Has anyone had any success installing fail2ban or similar on a Zimbra server?
    I believe there are a couple of threads in the forums on that very topic.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

  8. #8
    batfastad is offline Elite Member
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    296
    Rep Power
    7

    Default

    Solved! That's exactly what I wanted. Cheers
    My Zimbra Bugs Wishlist: 16411, 24567, 35676, 36430, 37770, 41872, 43733, 44384, 46383, 47759
    And a way to associate mailto: handlers with a Zimbra Prism webapp

  9. #9
    bofh is offline Elite Member
    Join Date
    May 2010
    Posts
    272
    Rep Power
    5

    Default

    i want to reactivate that discussion cause it matches best.


    Well 1 Phoenix is WRONG - the policy does actually cover any zimbra service.
    so the polices in the webui also works with wrong smtp, pop /impa and so on requests (imap im not so shure but defently SMTP

    well about the Rules for fail2ban as good as it looks like i think we got an issue here


    2012-07-12 15:23:38,760 WARN [btpool0-608://myzimbra.example.com:7071/service/admin/soap/] [name=account@mail.com;ip=192.168.1.100;] security - cmd=Auth; account=account@mail.com; protocol=soap; error=authentication failed for [aliasof@mail.com], invalid password;


    this is the line you get if someone try to bruteforce with smtp , trying to use you as a relay server.

    so since it does look exactly like a regular attemp BUT had the IP of the server itself you will locked yourself with those fail2ban rules.


    i was thinking further - theres also nother problem then -
    since zimbra logs everything theres a high risk fail2ban becomes a higher risk than it could solve
    for example

    user change his pass in the webui
    he forgot to change it in his mobilephone (or zdesktop or whatever)
    once he returns in his company and his supersmart phones connectes to wlan .....

    you see where iam going too ?? youll lock out the hole company only because of an changed password



    the other side of course is thats not good accounts get locked out all the time.
    i got a customer how got locked 4 times in 2 days which is anoying for him of course

    i was even thinking about let the webui lock it out 2 times and the 3rd time it will be ip lock for 7 days or so...
    thing is it still doenst cover the outlook problem

    even worse - a lock would look like a server failure and customer blame you while its his fault with a new password


    so you see my dillemma (and even yours you might just dont know it yet)

    bottom line - we need cruise missles programable by ip adress to really solve the problem
    until then iam open for ideas

  10. #10
    birdsthewurd is offline Intermediate Member
    Join Date
    Apr 2012
    Posts
    21
    Rep Power
    3

    Default

    Does anyone have an update on this? I've been having this same issue for a while and it's becoming a bigger issue, day by day. I understand bofh's concerns with using fail2ban, so how can I get the actual IP address of the attacker, so that I can add it to iptables?

    The SMTP attacks are the ones in question, where it lists your server's IP address in the log, rather than the originating IP.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ZCS7 Beta only Listens on IPv6
    By tobru in forum Installation
    Replies: 2
    Last Post: 03-25-2011, 03:31 AM
  2. Replies: 12
    Last Post: 03-23-2011, 09:39 PM
  3. Did I miss something? (Zimbra GA 6.0.8 on Ubuntu 10.04)
    By vpetersson in forum Installation
    Replies: 2
    Last Post: 10-26-2010, 06:29 AM
  4. 3.1 on FC4 problems
    By cohnhead in forum Installation
    Replies: 8
    Last Post: 05-26-2006, 11:16 AM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •