fail2ban rules for Zimbra

[reckless2k2]

I've got a heavy load of people hitting my server trying to get access. I installed fail2ban and I'm trying to figure out where to tell it to look for repeated unauthorized access. I see info about it in my log emails forthe admin user but i have no idea where to point fail2ban to monitor to build a block list. I'm not concerned with ports. I only need to know the location of the log file that shows unauthorized access. I thought itwas the maillog file in /vag/log but that doesn't seem to be right.

Any help is appreciated. If you think deny.hosts works better let me know. My access is only via https.

[reckless2k2]

no one has got anything for me?

[jholder]

/opt/zimbra/log/audit.log will provide you more information on who's trying to get in.

john

[drizzt]

I suggest you to switch on the fail2ban postfix filter on /var/log/mail.log, and to add the following new filter I created for Zimbra webmail/admin interface.

/etc/fail2ban/jail.conf

HTML Code:

...
[zimbra-webmail]

enabled = true
port    = http,https
filter  = zimbra-webmail
logpath = /opt/zimbra/log/audit.log
maxretry = 4

/etc/fail2ban/filter.d/zimbra-webmail.conf

HTML Code:

# Fail2Ban configuration file
#
# Author: Giorgio Salluzzo <giorgio.salluzzo@gmail.com>
#

[Definition]

# Option:  failregex
# Notes.:  regex to match PASSWORD FAILED for Zimbra webmail/admin authentication
# Values:  TEXT
#
# FIRST regex for webmail, SECOND for webadmin
#
failregex = ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
            WARN  .* \[ip=<HOST>;ua=ZimbraWebClient

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

[cshabazian]

You need to have an action in the jail.conf, or fail2ban won't start. Here is my correction:

Code:

[zimbra-webmail]

enabled = true
port    = http,https
action   = iptables-multiport[name=zimbra, port="http,https", protocol=tcp]
           sendmail-whois[name=Zimbra, dest=you@mail.com]
filter  = zimbra-webmail
logpath = /opt/zimbra/log/audit.log
maxretry = 4

Like the others in jail.conf, replace you@mail.com with your email address.

[diego.sanchez]

I have:


jail.conf

Quote:

[postfix]

enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/zimbra.log
#/var/log/mail.log /var/log/mail.err /var/log/mail.warn /var/log/mail.info
maxretry = 5
ignoreip =
bantime = 86400
findtime = 1200

filter.d/postfix.conf

Quote:

[Definition]

failregex = reject: RCPT from (.*)\[\]: 550 5.1.1
reject: RCPT from (.*)\[\]: 450 4.7.1
reject: RCPT from (.*)\[\]: 554 5.7.1
(.*)\[\]: SASL LOGIN authentication failed: authentication failure
.* Blocked SPAM, \[\].*

ignoreregex =

After few hours, more than 12.000 account are dropped