[Users] Having some `brute` force log-in attempts on Zimbra
Lorenzo Milesi
maxxer at yetopen.it
Mon Nov 27 15:47:00 CET 2017
> Yes, a community-vetted fail2ban setup for Zimbra would be a wonderful addition!
We use this. I had taken it from some website but I didn't take note of it
In jail.local:
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
# sendmail[name=zimbra-account, dest=you at domain.net]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 4
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
# sendmail[name=Zimbra-audit, dest=you at domain.net]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
And /etc/fail2ban/filter.d/zimbra.conf contains:
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
INFO .*ip=<HOST>;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$
# NOQUEUE: reject: RCPT from .*\[\]: 550 5.1.1 .*: Recipient address rejected:
# .*\[ip=;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
--
Lorenzo Milesi - lorenzo.milesi at yetopen.it
YetOpen S.r.l. - https://www.yetopen.it/
More information about the Users
mailing list