Answer the question
In order to leave comments, you need to log in
Securing Zimbra 8.8.5 with Fail2ban?
Good day to all!
I installed fail2ban on a server running Centos 7, configured protection for the ssh, webmin service, but Zimbra couldn’t protect something.
The problem is that the filter does not work, I reread the entire Internet, there is no working filter, I myself can’t figure out how to write a regular expression for the log:
2019-01-23 11:58:37,185 WARN [qtp335471116-3099: https: https:/ /192.168.1.15:7071/service/admin/soap/AuthR... [ip=192.168.1.129;port=49224;ua=ZimbraWebClient - FF64 (Win);] security - cmd=AdminAuth; account=4353453453453453; error=authentication failed for [4353453453453453];
I log in from my computer, type the server address in the browser, simulate an erroneous login using a fictitious account and password, but the protection does not work, the regular expression does not work.
Does anyone have filters for Zimbra? I would be very grateful for your help!
Answer the question
In order to leave comments, you need to log in
I myself use this:
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=imap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
Additional configs
zimbra-admin.conf
[Definition]
#
failregex = INFO .*;ip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, invalid password$
INFO .*ip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
ignoreregex =
[Definition]
#
failregex = \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
INFO .*;oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, invalid password$
ignoreregex =
[Definition]
#
failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$
postfix\/smtps\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$
ignoreregex =
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question