Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Z-Push Fail2Ban

  1. #1
    Junior Member
    Join Date
    Mar 2016
    Posts
    18

    Z-Push Fail2Ban

    I would like to use fail2ban to blacklist would-be attackers. Is it possible, and does anyone have a config for it ?

    Thanks in advance

    BobS

  2. #2
    Senior Member
    Join Date
    Jan 2008
    Posts
    400
    you can use something like

    failregex = \[.*\] Failed to login from <HOST> with invalid username \".*\" or wrong password. Error: 0x80040111

    for zarafa-gateway

  3. #3
    Senior Member
    Join Date
    Nov 2012
    Location
    Minneapolis MN, USA
    Posts
    106
    We made a small change to login for z-push and webapp to log into secure and use the following expression.

    failregex = Login failed from\[<HOST>\] user(.*)


    This has worked great for us although I'd like to eliminate the code mod every release.

  4. #4
    Senior Member
    Join Date
    Sep 2007
    Location
    Aka SebastianBrasil
    Posts
    1,467
    Z-Push has a config option to enable special logging for failed authentication.
    Enable 'LOGAUTHFAIL' by setting it to "true" (without ").

    This will cause an additional log line in WARN level:
    IP: 123.123.123.123 failed to authenticate user '[email protected]'

    So you can monitor the z-push-error.log only with fail2ban.

    I also created a wiki page: https://wiki.z-hub.io/display/ZP/Fail2Ban+support

    When you get it working, I (and others) would be very grateful if you could contribute the fail2ban configuration on the wiki page (create an account on https://jira.z-hub.io/secure/Signup!default.jspa and just edit the page). Thank you!

    Cheers,
    Sebastian

  5. #5
    Junior Member
    Join Date
    Mar 2016
    Posts
    18
    We're not getting the IP address when I enable that option. Any ideas ?
    [ 1939] [ERROR] [MyUsername] ZarafaBackend->Logon(): login failed with error code: 0xFFFFFFFF80040111

    ---------- Post added ----------

    Oh, I got it ! It's in the z-push.log ! Now, If I can get fail2ban to read the log, I'll be good 2 go.

  6. #6
    Senior Member
    Join Date
    Apr 2014
    Posts
    186
    Sebastian said "So you can monitor the z-push-error.log only with fail2ban." which might be a lot smaller and easier to monitor than the z-push log.

  7. #7
    Junior Member
    Join Date
    Mar 2016
    Posts
    18
    I don't understand. Why would I monitor z-push-error.log file ? It does not contain the IP address information. The z-push.log does contain the IP address information.

    z-push-error.log = 23/03/2016 05:54:19 [ 1750] [ERROR] [bobsspam] ZarafaBackend->Logon(): login failed with error code: 0xFFFFFFFF80040111
    z-push.log = 23/03/2016 05:55:45 [ 2054] [WARN] [bobsspam] IP: 192.168.1.2 failed to authenticate user 'bobs'

  8. #8
    Senior Member
    Join Date
    Jan 2008
    Posts
    400
    @Sebastion.

    I tried to contrib there, but i was not able to.
    Here is the one you want for z-push, i use it with ufw as firewall.

    For a systemd server ( im using debian Jessie )
    No systemd server, remove these to line :
    [Init]
    journalmatch = _SYSTEMD_UNIT=fail2ban.service

    Code:
    # FILE : /etc/fail2ban/filter.d/zarafa-z-push.conf
    # Fail2Ban configuration file
    [INCLUDES]
    before = common.conf
    [Definition]
    # Option:  failregex
    # Notes.:  regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values:  TEXT
    #
    failregex = IP: <HOST> failed to authenticate user
    ignoreregex =
    [Init]
    journalmatch = _SYSTEMD_UNIT=fail2ban.service

    Code:
    # UFW file /etc/fail2ban/action.d/ufw-all.conf
    # Fail2Ban configuration file ufw-all.conf 
    #
    # We add the rules to ufw for better control and management
    #
    
    [Definition]
    actionstart =
    actionstop =
    actioncheck =
    actionban = ufw insert 1 deny from <ip> to any
    actionunban = ufw delete deny from <ip> to any

    Code:
    # Jail.local
    [zarafa-z-push]
    enabled  = true
    port     = http,https
    filter   = zarafa-z-push
    banaction = ufw-all
    # also enable define('LOGAUTHFAIL', true); in z-push/config.php 
    logpath  = /var/log/z-push/z-push-error.log
    maxretry = 3
    bantime  = 84600
    I ban long, so if they come bad with banned time, and the bantime is extended.


    For zarafa-gateway.

    change the regex to :
    Code:
    failregex = Failed to login from <HOST> with invalid username
    and optional, use the same ports as postfix-sasl.

    postfix-sasl can be used for auth over smtp, works out of the box.
    I changed the ports to : smtp,ssmtp,smtps,submission,imap2,imap3,imaps,pop3 ,pop3s

    and as extra, not specialy needed but handy to have.

    /etc/ufw/applications.d/zarafa
    Code:
    [Zarafa]
    title=Zarafa Mail server
    description=Zarafa Open Source Email & Collaboration Software
    ports=236/tcp
    
    [Zarafa ssl]
    title=Zarafa Mail server (SSL)
    description=Open Source Email & Collaboration Software SSL
    ports=237/tcp
    
    [Zarafa Full]
    title=Zarafa Mail server
    description=Zarafa Open Source Email & Collaboration Software
    ports=236,237/tcp
    
    [Zarafa pop3]
    title=Zarafa Gateway pop3
    description=Zarafa Open Source Email & Collaboration Software
    ports=110/tcp
    
    [Zarafa pop3s]
    title=Zarafa Gateway pop3s (SSL)
    description=Open Source Email & Collaboration Software SSL
    ports=995/tcp
    
    [Zarafa pop3 Full]
    title=Zarafa Gateway pop3
    description=Zarafa Open Source Email & Collaboration Software
    ports=110,995/tcp
    
    [Zarafa imap]
    title=Zarafa Gateway imap
    description=Zarafa Open Source Email & Collaboration Software
    ports=143/tcp
    
    [Zarafa imaps]
    title=Zarafa Gateway imap (SSL)
    description=Open Source Email & Collaboration Software SSL
    ports=993/tcp
    
    [Zarafa imap Full]
    title=Zarafa Gateway imap
    description=Zarafa Open Source Email & Collaboration Software
    ports=143,993/tcp
    
    [Zarafa ical]
    title=Zarafa ical
    description=Zarafa Open Source Email & Collaboration Software
    ports=8080/tcp
    
    [Zarafa icals]
    title=Zarafa icals (SSL)
    description=Open Source Email & Collaboration Software SSL
    ports=8443/tcp
    
    [Zarafa ical Full]
    title=Zarafa ical
    description=Zarafa Open Source Email & Collaboration Software
    ports=8080,8443/tcp
    Last edited by thctlo; 23-03-2016 at 12:15 PM.

  9. #9
    Senior Member
    Join Date
    Sep 2007
    Location
    Aka SebastianBrasil
    Posts
    1,467
    @bobs, you can monitor either z-push.log or z-push-error.log. If you run in a higher log level fail2ban will need to parse a lot of unnecessary log lines, tho the idea to just have it look at z-push-error.log as that one is much less noisy.

  10. #10
    Junior Member
    Join Date
    Mar 2016
    Posts
    18
    I have it working, Thanks all. Will document, and post to wiki. Thanks again !

Page 1 of 2 12 LastLast

Similar Threads

  1. Using Zarafa Audit logs to create ossec / fail2ban rules
    By deajan in forum Installation, Configuration and Maintenance
    Replies: 0
    Last Post: 23-12-2014, 01:02 PM
  2. Fail2ban regex for zarafa-gateway.log
    By flazzarini in forum Installation, Configuration and Maintenance
    Replies: 4
    Last Post: 21-08-2014, 09:54 AM
  3. Fail2Ban for Zarafa Webapp
    By digiJ in forum Installation, Configuration and Maintenance
    Replies: 2
    Last Post: 06-05-2014, 07:00 PM
  4. zarafa, webaccess + webapp + fail2ban
    By thomas1977 in forum Installation, Configuration and Maintenance
    Replies: 0
    Last Post: 25-06-2012, 02:32 AM
  5. Gateway.cfg adn DenyHosts/Fail2Ban
    By robj in forum Installation and Configuration Archives
    Replies: 0
    Last Post: 07-09-2010, 11:55 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •