Zimbra Webmail not blocking with Fail2ban

Question

Score:0

Server

Zimbra Webmail not blocking with Fail2ban

moonoi

2/21/24, 5:57 PM

I have had troubles with Fail2Ban and was wondering if anyone else has seen this and been able to overcome it.

I have two Fail2ban rules in place for Zimbra, one for SMTP and the other for Webmail. The SMTP rule is working and banning IP's, but the webmail is not. I can see what I think are matches in to the filter in the logs, but they never get banned.

I have the following jail config:

[zimbra-smtp]
enabled = true
filter = zimbra-smtp
port = 25,465,587
logpath = /var/log/zimbra.log
maxretry = 3
findtime = 86400
bantime = 86400
action = route

[zimbra-http]
enabled = true
filter = zimbra-http
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
findtime = 3600
bantime = 36000
action = route

The following filters are in place:

zimbra-smtp

    [Definition]
    failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$
                postfix\/smtps\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$
            postfix\/submission\/smtpd\[\d+\]: warning: .*\[<HOST>\]: GET / HTTP/1.1$
                postfix\/smtpd\[\d+\]: warning: .*\[<HOST>\]: GET / HTTP/1.1$

ignoreregex =

zimbra-http

[Definition]
#
failregex = \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
            INFO .*;oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, invalid password$

ignoreregex =

If I use fail2ban-regex, I can see the filter being matched for both smtp and http, but nothing is being banned for http. I have also set the logs to debug as see the following.

For the webmail, it seems to pickup an IP address using the filter, but nothing is banned.

2023-02-21 16:55:52,231 fail2ban.filter         [16892]: DEBUG   Processing line with time:1676998552.0 and ip:92.40.169.181

For the smtp (which is working), it seems to pickup an IP address using the filter, and it collates this with the number of times it has picked it up previously.

2023-02-21 16:56:41,729 fail2ban.filter         [16892]: DEBUG   Processing line with time:1676998601.0 and ip:92.40.169.181
2023-02-21 16:56:41,729 fail2ban.filter         [16892]: INFO    [zimbra-smtp] Found 92.40.169.181 - 2023-02-21 16:56:41
2023-02-21 16:56:41,729 fail2ban.failmanager    [16892]: DEBUG   Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 92.40.169.181:1

What am I missing?

I have even checked the logs on a service reload, and apart from a extra line in the HTTP initilisation they are identical:

Created <class 'fail2ban.server.action.CommandAction'>

The full log is here:

2023-02-21 17:25:44,532 fail2ban.server         [16892]: INFO    Reload jail 'zimbra-smtp'
2023-02-21 17:25:44,532 fail2ban.server         [16892]: DEBUG     failregex: 'postfix\\/submission\\/smtpd\\[\\d+\\]: warning: .*\\[<HOST>\\]: SASL \\w+ authentication failed: authentication failure$'
2023-02-21 17:25:44,532 fail2ban.server         [16892]: DEBUG     failregex: 'postfix\\/smtps\\/smtpd\\[\\d+\\]: warning: .*\\[<HOST>\\]: SASL \\w+ authentication failed: authentication failure$'
2023-02-21 17:25:44,533 fail2ban.server         [16892]: DEBUG     failregex: 'postfix\\/submission\\/smtpd\\[\\d+\\]: warning: .*\\[<HOST>\\]: GET / HTTP/1.1$'
2023-02-21 17:25:44,533 fail2ban.server         [16892]: DEBUG     failregex: 'postfix\\/smtpd\\[\\d+\\]: warning: .*\\[<HOST>\\]: GET / HTTP/1.1$'
2023-02-21 17:25:44,533 fail2ban.filter         [16892]: INFO      encoding: UTF-8
2023-02-21 17:25:44,533 fail2ban.filter         [16892]: INFO      maxRetry: 3
2023-02-21 17:25:44,533 fail2ban.filter         [16892]: INFO      findtime: 86400
2023-02-21 17:25:44,534 fail2ban.actions        [16892]: INFO      banTime: 86400
2023-02-21 17:25:44,534 fail2ban.filter         [16892]: DEBUG   Setting usedns = warn for FilterPyinotify(Jail('zimbra-smtp'))
2023-02-21 17:25:44,534 fail2ban.filter         [16892]: DEBUG     Add '86.24.178.9' to ignore list ('86.24.178.9/32')
2023-02-21 17:25:44,534 fail2ban.CommandAction  [16892]: DEBUG     Set actionstart = ''
2023-02-21 17:25:44,534 fail2ban.CommandAction  [16892]: DEBUG     Set actionstop = ''
2023-02-21 17:25:44,534 fail2ban.CommandAction  [16892]: DEBUG     Set actioncheck = ''
2023-02-21 17:25:44,535 fail2ban.CommandAction  [16892]: DEBUG     Set actionban = 'ip route add unreachable <ip>'
2023-02-21 17:25:44,535 fail2ban.CommandAction  [16892]: DEBUG     Set actionunban = 'ip route del unreachable <ip>'
2023-02-21 17:25:44,535 fail2ban.CommandAction  [16892]: DEBUG     Set actname = 'route'
2023-02-21 17:25:44,535 fail2ban.CommandAction  [16892]: DEBUG     Set name = 'zimbra-smtp'
2023-02-21 17:25:44,535 fail2ban.CommandAction  [16892]: DEBUG     Set blocktype = 'unreachable'
2023-02-21 17:25:44,535 fail2ban.server         [16892]: INFO    Reload jail 'zimbra-http'
2023-02-21 17:25:44,536 fail2ban.server         [16892]: DEBUG     failregex: '\\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$'
2023-02-21 17:25:44,536 fail2ban.server         [16892]: DEBUG     failregex: 'INFO .*;oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, invalid password$'
2023-02-21 17:25:44,536 fail2ban.filter         [16892]: INFO      encoding: UTF-8
2023-02-21 17:25:44,536 fail2ban.filter         [16892]: INFO      maxRetry: 3
2023-02-21 17:25:44,536 fail2ban.filter         [16892]: INFO      findtime: 3600
2023-02-21 17:25:44,536 fail2ban.actions        [16892]: INFO      banTime: 36000
2023-02-21 17:25:44,537 fail2ban.filter         [16892]: DEBUG   Setting usedns = warn for FilterPyinotify(Jail('zimbra-http'))
2023-02-21 17:25:44,537 fail2ban.filter         [16892]: DEBUG     Add '86.24.178.9' to ignore list ('86.24.178.9/32')
2023-02-21 17:25:44,537 fail2ban.CommandAction  [16892]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
2023-02-21 17:25:44,537 fail2ban.CommandAction  [16892]: DEBUG     Set actionstart = ''
2023-02-21 17:25:44,537 fail2ban.CommandAction  [16892]: DEBUG     Set actionstop = ''
2023-02-21 17:25:44,537 fail2ban.CommandAction  [16892]: DEBUG     Set actioncheck = ''
2023-02-21 17:25:44,538 fail2ban.CommandAction  [16892]: DEBUG     Set actionban = 'ip route add unreachable <ip>'
2023-02-21 17:25:44,538 fail2ban.CommandAction  [16892]: DEBUG     Set actionunban = 'ip route del unreachable <ip>'
2023-02-21 17:25:44,538 fail2ban.CommandAction  [16892]: DEBUG     Set actname = 'route'
2023-02-21 17:25:44,538 fail2ban.CommandAction  [16892]: DEBUG     Set name = 'zimbra-http'
2023-02-21 17:25:44,538 fail2ban.CommandAction  [16892]: DEBUG     Set blocktype = 'unreachable'
2023-02-21 17:25:44,538 fail2ban.server         [16892]: INFO    Jail 'sshd' reloaded
2023-02-21 17:25:44,538 fail2ban.server         [16892]: INFO    Jail 'zimbra-smtp' reloaded
2023-02-21 17:25:44,539 fail2ban.server         [16892]: INFO    Jail 'zimbra-http' reloaded
2023-02-21 17:25:44,539 fail2ban.actions        [16892]: NOTICE  [zimbra-http] Flush ticket(s) with iptables-multiport
2023-02-21 17:25:44,540 fail2ban.actions        [16892]: DEBUG     Unbanned 0, 0 ticket(s) in 'zimbra-http'
2023-02-21 17:25:44,540 fail2ban.actions        [16892]: DEBUG   zimbra-http: action route terminated
2023-02-21 17:25:44,540 fail2ban.actions        [16892]: DEBUG   zimbra-http: action iptables-multiport terminated
2023-02-21 17:25:44,540 fail2ban.server         [16892]: INFO    Reload finished.

259

0 + 0

zimbra

fail2ban

ubuntu-18.04

Zimbra Webmail not blocking with Fail2ban

Post an answer