Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Z-Push Fail2Ban

  1. #1
    Junior Member
    Join Date
    Mar 2016
    Posts
    18

    Z-Push Fail2Ban

    I would like to use fail2ban to blacklist would-be attackers. Is it possible, and does anyone have a config for it ?

    Thanks in advance

    BobS

  2. #2
    Senior Member
    Join Date
    Jan 2008
    Posts
    400
    you can use something like

    failregex = \[.*\] Failed to login from <HOST> with invalid username \".*\" or wrong password. Error: 0x80040111

    for zarafa-gateway

  3. #3
    Senior Member
    Join Date
    Nov 2012
    Location
    Minneapolis MN, USA
    Posts
    106
    We made a small change to login for z-push and webapp to log into secure and use the following expression.

    failregex = Login failed from\[<HOST>\] user(.*)


    This has worked great for us although I'd like to eliminate the code mod every release.

  4. #4
    Senior Member
    Join Date
    Sep 2007
    Location
    Aka SebastianBrasil
    Posts
    1,467
    Z-Push has a config option to enable special logging for failed authentication.
    Enable 'LOGAUTHFAIL' by setting it to "true" (without ").

    This will cause an additional log line in WARN level:
    IP: 123.123.123.123 failed to authenticate user '[email protected]'

    So you can monitor the z-push-error.log only with fail2ban.

    I also created a wiki page:

    When you get it working, I (and others) would be very grateful if you could contribute the fail2ban configuration on the wiki page (create an account on and just edit the page). Thank you!

    Cheers,
    Sebastian

  5. #5
    Junior Member
    Join Date
    Mar 2016
    Posts
    18
    We're not getting the IP address when I enable that option. Any ideas ?
    [ 1939] [ERROR] [MyUsername] ZarafaBackend->Logon(): login failed with error code: 0xFFFFFFFF80040111

    ---------- Post added ----------

    Oh, I got it ! It's in the z-push.log ! Now, If I can get fail2ban to read the log, I'll be good 2 go.

  6. #6
    Senior Member
    Join Date
    Apr 2014
    Posts
    186
    Sebastian said "So you can monitor the z-push-error.log only with fail2ban." which might be a lot smaller and easier to monitor than the z-push log.

  7. #7
    Junior Member
    Join Date
    Mar 2016
    Posts
    18
    I don't understand. Why would I monitor z-push-error.log file ? It does not contain the IP address information. The z-push.log does contain the IP address information.

    z-push-error.log = 23/03/2016 05:54:19 [ 1750] [ERROR] [bobsspam] ZarafaBackend->Logon(): login failed with error code: 0xFFFFFFFF80040111
    z-push.log = 23/03/2016 05:55:45 [ 2054] [WARN] [bobsspam] IP: 192.168.1.2 failed to authenticate user 'bobs'

  8. #8
    Senior Member
    Join Date
    Jan 2008
    Posts
    400
    @Sebastion.

    I tried to contrib there, but i was not able to.
    Here is the one you want for z-push, i use it with ufw as firewall.

    For a systemd server ( im using debian Jessie )
    No systemd server, remove these to line :
    [Init]
    journalmatch = _SYSTEMD_UNIT=fail2ban.service



    I ban long, so if they come bad with banned time, and the bantime is extended.


    For zarafa-gateway.

    change the regex to :
    and optional, use the same ports as postfix-sasl.

    postfix-sasl can be used for auth over smtp, works out of the box.
    I changed the ports to : smtp,ssmtp,smtps,submission,imap2,imap3,imaps,pop3 ,pop3s

    and as extra, not specialy needed but handy to have.

    /etc/ufw/applications.d/zarafa
    Last edited by thctlo; 23-03-2016 at 12:15 PM.

  9. #9
    Senior Member
    Join Date
    Sep 2007
    Location
    Aka SebastianBrasil
    Posts
    1,467
    @bobs, you can monitor either z-push.log or z-push-error.log. If you run in a higher log level fail2ban will need to parse a lot of unnecessary log lines, tho the idea to just have it look at z-push-error.log as that one is much less noisy.

  10. #10
    Junior Member
    Join Date
    Mar 2016
    Posts
    18
    I have it working, Thanks all. Will document, and post to wiki. Thanks again !

Page 1 of 2 12 LastLast

Similar Threads

  1. Using Zarafa Audit logs to create ossec / fail2ban rules
    By deajan in forum Installation, Configuration and Maintenance
    Replies: 0
    Last Post: 23-12-2014, 01:02 PM
  2. Fail2ban regex for zarafa-gateway.log
    By flazzarini in forum Installation, Configuration and Maintenance
    Replies: 4
    Last Post: 21-08-2014, 08:54 AM
  3. Fail2Ban for Zarafa Webapp
    By digiJ in forum Installation, Configuration and Maintenance
    Replies: 2
    Last Post: 06-05-2014, 06:00 PM
  4. zarafa, webaccess + webapp + fail2ban
    By thomas1977 in forum Installation, Configuration and Maintenance
    Replies: 0
    Last Post: 25-06-2012, 01:32 AM
  5. Gateway.cfg adn DenyHosts/Fail2Ban
    By robj in forum Installation and Configuration Archives
    Replies: 0
    Last Post: 07-09-2010, 10:55 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •