Implementasi Fail2ban dengan Zimbra – Assalamualaikum, setelah melakukan instalasi Fail2ban di sistem operasi CentOS/Red Hat, saat ini kita akan mencoba untuk mengimplementasikan fail2ban dengan zimbra. Tujuannya sama yaitu meningkatkan keamanan dari sisi zimbra terkait banyaknya serangan dari luar, seperti bruteforce attack.
Untuk instalasi Fail2ban bisa melihat baca disini :
Baca juga : Instalasi Fail2ban di CentOS dan Redhat
Untuk melakukan implementasi Fail2ban dengan Zimbra, kita harus membuat file baru pada direktori /etc/fail2ban/filter.d/ dengan nama zimbra.conf yang berisikan seperti berikut, dimana kita akan melakukan pengecekan berdasarkan file regex yang telah kita buat.
# vim /etc/fail2ban/filter.d/zimbra.conf
# Fail2Ban configuration file
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:- Lakukan perubahan pada file jail.conf yang berada pada direktori /etc/fail2ban untuk menambagkan rule-rule yang sudah ada. Kita juga bisa mengatur untuk IP yang akan di exclude ataupun waktu banned yang akan bekerja ketika IP tersebut terkena filter fail2ban ini. Kalian bisa sesuaikan dengan keinginan kalian pada implementasi ini saya mengkonfigurasi banned time selama 156000 seconds (detik).
# vim /etc/fail2ban/jail.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
## The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 192.168.100.101/32
# "bantime" is the number of seconds that a host is banned.
bantime = 15600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 3
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
logpath = /opt/zimbra/log/audit.log
maxretry = 3
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
logpath = /var/log/zimbra.log
maxretry = 3
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
logpath = /var/log/zimbra.log
maxretry = 3- Lakukan pengecakan konfigurasi fail2ban yang sudah kita buat sebelumnya dengan command berikut :
# fail2ban-client status
Status
|- Number of jail: 5
`- Jail list: postfix, ssh-iptables, zimbra-account, zimbra-audit, zimbra-recipient
- Restart service fail2ban untuk menyimpan konfigurasi yang sudah kita buat sebelumnya.
# service fail2ban restart- Untuk melakukan pengecekan service fail2ban sudah berjalan atau belum dapat menjalankan command berikut :
# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.100.101/24 0.0.0.0/0 tcp dpt:443
f2b-postfix tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25
f2b-zimbra-recipient tcp -- 0.0.0.0/0 0.0.0.0/0
f2b-zimbra-audit tcp -- 0.0.0.0/0 0.0.0.0/0
f2b-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
f2b-zimbra-account tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-SSH (1 references)
target prot opt source destination
REJECT all -- 37.187.248.39 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 138.197.162.28 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 61.0.242.100 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 159.65.81.187 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 148.235.57.190 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 141.98.80.31 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 106.12.39.227 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 134.175.181.138 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 112.220.85.26 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 159.65.155.215 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 120.52.120.166 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 106.12.124.162 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 5.196.68.203 0.0.0.0/0 reject-with icmp-port-unreachable
Chain f2b-postfix (1 references)
target prot opt source destination
REJECT all -- 186.183.218.139 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 61.173.148.133 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 115.178.220.175 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 140.213.5.187 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 112.215.201.217 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 112.215.201.229 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 112.215.171.8 0.0.0.0/0 reject-with icmp-port-unreachable
Chain f2b-zimbra-account (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-zimbra-audit (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-zimbra-recipient (1 references)
target prot opt source destination
REJECT all -- 54.169.103.234 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0 Dapat dilihat jika banyak IP Address yang berusaha menyerang server dengan menggunakan protokol SSH dan Postfix.
Semoga bermanfaat & enjoy, wassalamualaikum
sangat membantu sekali
Terimakasih Om 😀