Install and Configure Fail2Ban for Zimbra on CentOS 7 Rumi, September 12, 2023 Below is how to install and configure Fail2Ban for Zimbra. In this guidance, I use CentOS. Please adjust python-pip version if using another OS 1. Install pip yum install python3-pip 2. Install dependencies required by Fail2Ban pip3 install pyinotify pip3 install dnspython 3. Download and extract Fail2Ban cd /tmp/ wget -c https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz 4. Install Fail2Ban tar -xvf 0.9.4.tar.gz cd fail2ban-0.9.4 python3 setup.py install 5. Copy Fail2Ban service to systemd cp files/fail2ban.service /usr/lib/systemd/system/ 6. Adjust bin location on Fail2Ban service vi /usr/lib/systemd/system/fail2ban.service Adjust the following lines. Change /usr/bin become /usr/local/bin ExecStart=/usr/local/bin/fail2ban-client -x start ExecStop=/usr/local/bin/fail2ban-client stop ExecReload=/usr/local/bin/fail2ban-client reload Create fail2ban folder mkdir /var/run/fail2ban vi /usr/lib/tmpfiles.d/var.conf Add this line at the bottom d /var/run/fail2ban 0755 - - - Reload systemd systemctl daemon-reload 7. Create zimbra.jail vi /etc/fail2ban/jail.d/zimbra.local Fill with the following lines and save [zimbra-submission] enabled = true filter = zimbra-submission logpath = /var/log/zimbra.log maxretry = 3 findtime = 3600 bantime = 36000 action = iptables-multiport[name=zimbra-submission, port="25,465,587", protocol=tcp] [zimbra-webmail] enabled = true filter = zimbra-webmail logpath = /opt/zimbra/log/mailbox.log maxretry = 3 findtime = 3600 bantime = 36000 action = iptables-multiport[name=zimbra-webmail, port="80,443", protocol=tcp] [zimbra-admin] enabled = true filter = zimbra-admin logpath = /opt/zimbra/log/mailbox.log maxretry = 3 findtime = 3600 bantime = 36000 action = iptables-multiport[name=zimbra-admin, port="7071", protocol=tcp] 8. Create filters – Zimbra Admin curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-admin.conf > /etc/fail2ban/filter.d/zimbra-admin.conf – Zimbra Webmail curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-webmail.conf > /etc/fail2ban/filter.d/zimbra-webmail.conf – Zimbra SMTP/SMTPS/Submission curl -k https://raw.githubusercontent.com/imanudin11/zimbra-fail2ban/master/zimbra-submission.conf > /etc/fail2ban/filter.d/zimbra-submission.conf 9. Ignore localhost and Zimbra IP Open file /etc/fail2ban/jail.conf. Find line “ignoreip =” and add the IP address that will be ignored from Fail2Ban checking. You can use comma or space to add multiple IP ignoreip = 127.0.0.1/8 IP-ADDRESS-OF-ZIMBRA/32 OTHER-IP-ADDRESS/32 10. Enable and restart Fail2Ban systemctl enable fail2ban systemctl restart fail2ban Additional Configuration : – Block type that uses by Fail2Ban is “REJECT –reject-with icmp-port-unreachable”. If you want to use DROP, open file /etc/fail2ban/action.d/iptables-common.conf and change it to blocktype = DROP 11. Logging the Originating IP In a multi-server environment, or any environment running a proxy, the mailboxd server may only log the IP of the connecting proxy. X-Originating-IP support for nginx or other fronting proxy. In order to use this feature, you must define the Trusted IPs of your internal nginx proxies, so that the mailstores will instead capture the data on the originating IP from the HTTP traffic. By default, the zimbraMailTrustedIP is empty. Run the following command to configure zimbraMailTrustedIP zmprov mcf +zimbraMailTrustedIP {IP of nginx-1} +zimbraMailTrustedIP {IP of nginx-2} Example zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP 10.11.12.13 Check the configuration then restart the mailbox zmprov gcf zimbraMailTrustedIP zmmailboxdctl restart 12. Test regex You can test regex with run this command fail2ban-regex /opt/zimbra/log/mailbox.log /etc/fail2ban/filter.d/zimbra-webmail.conf Now my Zimbra already use Fail2Ban. If you want to see ip address that blocked by Fail2Ban, run fail2ban-client command fail2ban-client status If you want to see zimbra-webmail jail, run command fail2ban-client status zimbra-webmail [root@mail ~]# fail2ban-client status zimbra-webmail Status for the jail: zimbra-webmail |- Filter | |- Currently failed: 1 | |- Total failed: 11 | `- File list: /opt/zimbra/log/mailbox.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 123.xx.xx.xx Src: How to Install and Configure Fail2Ban for Zimbra Administrations Collected Articles Configurations (Linux) CentOSfail2banzimbra