Scribd
Upload
235 views4 pages

File 2 Ban

Fail2ban is an intrusion prevention tool that monitors log files for signs of brute force attacks and bans IP addresses by adding them to the system's firewall rules. The document provides steps to configure fail2ban on an Ubuntu server to prevent brute force login attempts against a Zimbra mail server. This includes installing fail2ban, editing configuration files to define filters and actions for the Zimbra services, and restarting fail2ban to load the new rules.

Uploaded by

jetbards
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
235 views4 pages

File 2 Ban

Fail2ban is an intrusion prevention tool that monitors log files for signs of brute force attacks and bans IP addresses by adding them to the system's firewall rules. The document provides steps to configure fail2ban on an Ubuntu server to prevent brute force login attempts against a Zimbra mail server. This includes installing fail2ban, editing configuration files to define filters and actions for the Zimbra services, and restarting fail2ban to load the new rules.

Uploaded by

jetbards
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

http://linux-sys-adm.

com/how-to-configure-firewall-and-fail2ban-for-prevent-brute-force-attack-
zimbra-8.6-on-ubuntu-server-14.04-lts-step-by-step/

How to configure firewall and fail2ban for prevent brute force attack Zimbra 8.6 on Ubuntu
(Server) 14.04 LTS Step-by-Step

Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run
on POSIX systems that have an interface to a packet-control system or firewall installed locally for example,
iptables or TCP Wrapper. Fail2ban operates by monitoring log files for selected entries and running scripts
based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are
trying to breach the systems security. It can ban any host IP that makes too many login attempts or performs
any other unwanted action within a time frame defined by the administrator. Ill be logged in as root.

Step 1 Update repositories.

root@mail:/# apt-get update


root@mail:/# apt-get upgrade

Step 2 Install fail2ban.

root@mail:/# apt-get install fail2ban

Step 3 Backup this file.

root@mail:/# cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-


allports.conf.backup

Step 4 Open this file /etc/fail2ban/action.d/iptables-allports.conf.

root@mail:/# nano /etc/fail2ban/action.d/iptables-allports.conf

Step 5 Reload the ban Ip Address after restart. In the /etc/fail2ban/action.d/iptables-allports.conf file you
must remove everything from this file and copy and paste this script.

# Fail2Ban configuration file


#
# Author: Martin Slavov
# made active on all ports from original iptables.conf
#
# $Revision: 658 $
#

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I INPUT -p -j fail2ban-
if [ -f /etc/fail2ban/ip.blacklist ]; then cat /etc/fail2ban/ip.blacklist | grep -e $ | cut -d , -s -f 1 | while read
IP; do iptables -I fail2ban- 1 -s $IP -j DROP; done; fi
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D INPUT -p -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
# number of failures
# unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban- 1 -s -j DROP
if ! grep -Fxq , /etc/fail2ban/ip.blacklist; then echo , >> /etc/fail2ban/ip.blacklist; fi
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
# number of failures
# unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban- -s -j DROP

[Init]

# Defaut name of the chain


#
name = default

# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

Step 6 Open this file /etc/fail2ban/jail.conf.

root@mail:/# nano /etc/fail2ban/jail.conf

Step 7 Add the rules for Zimbra at the end of file.

########################
###Zimbra Mail
#######################
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-account]
sendmail[name=Zimbra-account, dest=root@localhost]
logpath = /opt/zimbra/log/mailbox.log
bantime = -1
maxretry = 4

[zimbra-audit]

enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
sendmail[name=Zimbra-audit, dest=root@localhost]
logpath = /opt/zimbra/log/audit.log
bantime = -1
maxretry = 2

[postfix]

enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=root@localhost]
logpath = /var/log/maillog
bantime = -1
maxretry = 5

Step 8 Create file in which we will save the banned ip address, after restart the script who we add before
will ban again.

root@mail:/# touch /etc/fail2ban/ip.blacklist

Step 9 Create file in which we will save the filer rules for zimbra.

root@mail:/# touch /etc/fail2ban/filter.d/zimbra.conf

Step 10 Open the file and include the rules.This script work for Zimbra 8.X. for earlier version you
have to use this script.

# Fail2Ban configuration file


#
# Author: Martin Slavovo

[Definition]

failregex = \[ip=<HOST>;\] account authentication failed for .* \(no such account\)$


\[ip=<HOST>;\] security cmd=Auth; .* error=authentication failed for .*, invalid password;$
\[ip=<HOST>;\] security cmd=AdminAuth; .* error=authentication failed for .*, invalid password;$
\[ip=<HOST>;\] security cmd=Auth; .* error=authentication failed for .*, account lockout$
\[ip=<HOST>;\] account authentication failed for .* \(account lockout\)$
;oip=<HOST>;.* security cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid
password;$
\[oip=<HOST>;.* SoapEngine handler exception: authentication failed for .*, account not found$
WARN .*ip=<HOST>;ua=ZimbraWebClient .* security cmd=AdminAuth; .* error=authentication failed
for .*;$
INFO .*ip=<HOST>;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not
found)+$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

ignoreregex =

Step 11 Create file in which we will save the banned ip address, after restart the script who we add
before will ban again.

root@mail:/# service fail2ban restart

Step 12 Show fail2ban actives rules.

Step 13 Show fail2ban tables and realtime status.

You might also like