S
S
Sapsaner2019-01-23 09:48:40
CentOS
Sapsaner, 2019-01-23 09:48:40

Securing Zimbra 8.8.5 with Fail2ban?

Good day to all!
I installed fail2ban on a server running Centos 7, configured protection for the ssh, webmin service, but Zimbra couldn’t protect something.
The problem is that the filter does not work, I reread the entire Internet, there is no working filter, I myself can’t figure out how to write a regular expression for the log:
2019-01-23 11:58:37,185 WARN [qtp335471116-3099: https: https:/ /192.168.1.15:7071/service/admin/soap/AuthR... [ip=192.168.1.129;port=49224;ua=ZimbraWebClient - FF64 (Win);] security - cmd=AdminAuth; account=4353453453453453; error=authentication failed for [4353453453453453];
I log in from my computer, type the server address in the browser, simulate an erroneous login using a fictitious account and password, but the protection does not work, the regular expression does not work.
Does anyone have filters for Zimbra? I would be very grateful for your help!

Answer the question

In order to leave comments, you need to log in

3 answer(s)
A
Alexander Whole, 2019-02-10
@xmana

I myself use this:

failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
                        \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=imap; error=authentication failed for .* invalid password;$
                        \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
                        WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$

A
arto, 2019-02-04
@artopp

what filter do you have?

D
Di ExTreMe, 2020-10-02
@ExTreMeUA

Additional configs
zimbra-admin.conf

[Definition]
#
failregex = INFO .*;ip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, invalid password$
            INFO .*ip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$

ignoreregex =

zimbra-webmain.conf port:7071
[Definition]
#
failregex = \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
            INFO .*;oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, invalid password$

ignoreregex =

zimbra-submission.conf
[Definition]
#
failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$
            postfix\/smtps\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$

ignoreregex =

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question