Wednesday, November 22, 2023

Zimbra - DoS attack, fail2ban and analyze logs.

I'd like to provide you complex solution how to fight with attack and predict them. I implemented fail2ban and integrated DoS filter of Zimbra to defeat of attack on the mail server. Client's server was attacked, and one email account was hacked. Hackers sent a lot of email 2 days. The server was added to blacklists and client had email from ISP provider that it has complaint from other clients and solve urgent the issue the spam from your server.

So, I will give you some advice how to avoid such situation and how to set your server from attack.

1. You should add trusted IP addresses and subnets to Zimbra dos filter:
su - zimbra 
zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP local_ip_mailserver +zimbraMailTrustedIP external_ip_mailserver 
zmprov mcf +zimbraHttpThrottleSafeIPs 192.168.1.0/24  +zimbraHttpThrottleSafeIPs 192.168.0.0/24 +zimbraHttpThrottleSafeIPs 192.168.3.0/24 
If you need to check settings, you should use command below:
zmprov gcf zimbraMailTrustedIP
zmprov gcf zimbraHttpThrottleSafeIPs
zmprov gcf zimbraInvalidLoginFilterMaxFailedLogin
zmprov gcf zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating
2. If you need to stop spam from your mail server, you should turn on below setting. It stops to send all emails and then turn off it, when the issue will be fixed. More detail how to use it, you can find the additional links below:
zmprov ms `zmhostname` +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/common/conf/restricted_senders"
3. You should change the password for administrators. So, you should know how to check who is admin on the server or how to add new administrator and how to change password:
zmprov gaaa 
zmprov ma new_admin@mailserver.com zimbraIsAdminAccount TRUEzmprov sp admin@mailserver.com $newpass$

4. The best tool from attacks is Fail2ban. So, you should set it up:

yum install epel-release -y 
yum install fail2ban -y
chkconfig fail2ban on
touch /var/log/fail2ban.log
service fail2ban start 

Create configuration files for fail2ban:           

          cat >/etc/fail2ban/jail.local <<EOF

[DEFAULT]
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts.
# Fail2ban will not ban a host which matches an address in this list.
# Several addresses can be defined using space (and/or comma) separator.
#ignoreip = 127.0.0.1/8 ::1 
ignoreip = 192.168.0.1/24, 127.0.0.1/8, 192.168.1.10/32, external_ip/32, 192.168.0.0/24

banaction = route
EOF

cat > /etc/fail2ban/jail.d/zimbra.local<<EOF
[zimbra-smtp]
enabled = true
filter = zimbra-smtp
port = 25,465,587
logpath = /var/log/zimbra.log
maxretry = 3
findtime = 86400
bantime = 86400
action = route

[zimbra-web]
enabled = true
filter = zimbra-web
port = 80,443,7071,7073,9071
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
findtime = 86400
bantime = 86400
action = route
EOF

cat > /etc/fail2ban/filter.d/zimbra-web.conf<<EOF
[Definition]
failregex = .*ip=<HOST>;.*authentication failed for .*$

ignoreregex =
EOF

          cat > /etc/fail2ban/filter.d/zimbra-smtp.conf<<EOF

[Definition]
failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$
            postfix\/smtps\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$

ignoreregex =
EOF

After you need to restart fail2ban and check.

systemctl restart fail2ban 
systemctl status fail2ban

For checking fail2ban and logs:

tail -f $(fail2ban-client get logtarget | grep "\`" | awk '{ print $2; }')
fail2ban-regex /opt/zimbra/log/mailbox.log /etc/fail2ban/filter.d/zimbra-web.conf
fail2ban-client status zimbra-smtpf
fail2ban-client status zimbra-web
systemctl status fail2ban
ip r | awk '$1=="unreachable" {print $2}' | wc -l
systemctl stop fail2ban
fail2ban-client status

 5. Useful command to check logs:

cat /opt/zimbra/log/mailbox.log | grep "authentication failed"
cat /opt/zimbra/log/mailbox.log | grep "suspended, for repeated failed login."
cat /opt/zimbra/log/audit.log | grep 'failed login'
tail -F  /var/log/zimbra.log |  grep 'auth failed: authentication failed for'
cat /opt/zimbra/log/mailbox.log | grep  "HTTP/1.1 503 Service Unavailable"

PS. 
https://blog.zimbra.com/2022/08/configuring-fail2ban-on-zimbra/
https://pc-service.cv.ua/pro-nas/bloh/184-nalashtuvannia-fail2ban-na-zimbra-serveri
https://www.vionblog.com/zimbra-network-service-error-occurred/
https://wiki.zimbra.com/wiki/Configure_Fail2Ban_for_Zimbra_Server_with_route_instead_of_iptables_to_block_IPs
https://www.missioncriticalemail.com/2018/10/19/using-zimbras-dosfilter-and-failed-login-lockout-policy-together/
https://wiki.zimbra.com/wiki/DoSFilter
https://computingforgeeks.com/restrict-zimbra-local-domains-from-sending-emails-to-external-domains/
https://wiki.zimbra.com/wiki/Block_user_to_send_email_locally_or_externally


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)