Zimbra, postfix y fail2ban

Normalmente, poner un servidor de correo en la gran red de redes y esperar que nadie lo ataque, es como poner un terron de azucar frente a un hormiguero, y esperar que las hormigas lo ignoren.

Actualmente, tenemos un servidor con Zimbra.

El log que este muchachito escribe, es una brutada. Imposible de ver con tail -f /var/log/zimbra.log.

En mi caso, implemente fail2ban (apt-get install fail2ban ) con reglas orientadas a postfix para apaliar un poco el problema de scriptkiddies, hackers, etc.

Por ejemplo estas, que filtran intentos de conexiones fallidos denegando la IP por 24 horas (lo mio es excesivo, prueben con 10 minutos primero, no querran bloquear a los usuarios legitimos que no introducen correctamente la clave.. al menos no por mucho tiempo)

server:/# cat /etc/fail2ban/filter.d/postfix.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named “host”. The tag “<HOST>” can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Ya tenemos las reglas configuradas. Ahora a testearla

server:/# fail2ban-regex  /var/log/zimbra.log /etc/fail2ban/filter.d/postfix.conf
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use log file   : /var/log/zimbra.log

Results
=======

Failregex
|- Regular expressions:
|  [1] reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
|  [2] reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
|  [3] reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
|
`- Number of matches:
[1] 7242 match(es)
[2] 0 match(es)
[3] 380 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
24.244.172.17 (Sun Aug 22 06:25:20 2010)
94.217.138.77 (Sun Aug 22 06:25:20 2010)

[....] Muchas IPs [...]

84.229.123.248 (Sun Aug 22 08:05:51 2010)
84.229.123.248 (Sun Aug 22 08:05:51 2010)

Date template hits:
113840 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601

Success, the total number of match is 7565

However, look at the above section ‘Running tests’ which could contain important
information.

La mierda… 7500 intentos de conexiones hubiesen sido bloqueados, salvando recursos y ancho de banda.

Solo falta habilitarla en /etc/fail2ban/jail.conf, recargar las reglas de fail2ban y disfrutar.