Anyone using fail2b...
 
Notifications
Clear all

Anyone using fail2ban?

10 Posts
8 Users
1 Reactions
1,709 Views
(@tom11011)
Joined: 3 years ago
Posts: 13
Topic starter  

Hi Group,

I have an uptick of accounts being locked out due to continuous brut force attempts on the server.  Is anyone successfully using something to help mitigate this?  I was thinking maybe fail2ban?


   
Quote
(@jasgg_it)
Joined: 3 years ago
Posts: 22
 

Hi, I use CSF to mitigate those type of attacks.

JG


   
ReplyQuote
(@jasgg_it)
Joined: 3 years ago
Posts: 22
 

Hi, I use CSF to mitigate those type of attacks.

JG


   
ReplyQuote
dominix
(@dominix)
Joined: 12 years ago
Posts: 135
 

I am using both zmauditswatch and fail2ban

it is a bit tricky to configure fail2ban but there is good reviews on the zimbra community forums or some blogs.


   
ReplyQuote
(@virtarch)
Joined: 10 years ago
Posts: 8
 

I strongly second CSF with LFD.  A bit of a learning curve, but well worth it.  I think CSF with LFD is much easier and more reliable that Fail2Ban.

https://virtualarchitects.com/wiki/doku.php?id=internet:mail:zimbra:zimbra_firewall

I have quite a few hosts in my CSF cluster...a really powerful feature.  I have not (yet) found it useful for Docker hosts.

You will need to tweak it for your OS version and Zimbra, but that's the nature of security tools.  I can help with Ubuntu + Zimbra 9 OSE, if you have specific questions.

G

This post was modified 2 years ago by Virtual Architects LLC

   
ReplyQuote
 X1M
(@x1m)
Joined: 4 years ago
Posts: 4
 

I use CROWDSEC, it’s supposed to do a better job than Fail2ban. Just remember to change port 8080.


   
ReplyQuote
(@bellux)
Joined: 2 years ago
Posts: 12
 

@x1m Hi, how you setted crowdsec to work with Zimbra?


   
ReplyQuote
 X1M
(@x1m)
Joined: 4 years ago
Posts: 4
 

@bellux After you have installed Crowdsec you will have to change the listen port from the default port 8080. I have changed mine to port 8085.

Edit the config.yaml file: nano /etc/crowdsec/config.yaml

And change the following line:  listen_uri: 127.0.0.1:8085

Do the same, change the port number from 8080 to 8085 in the following two config files:

/etc/crowdsec/local_api_credentials.yaml
/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

Just remeber that every time you update crowdsec, there is a change that you will have to edit the config files again. 🙂

This post was modified 2 years ago 3 times by X1M

   
ReplyQuote
(@jolmir)
Joined: 10 years ago
Posts: 18
 

@x1m podrías compartir con nosotros como lograste hacer funcionar crowdsec con carbonio CE? gracias de antemano


   
ReplyQuote
 mik
(@mik)
Joined: 4 years ago
Posts: 46
 

Posted by: @x1m

I use CROWDSEC, it’s supposed to do a better job than Fail2ban. Just remember to change port 8080.

I am rather underwhelmed by CrowdSec. The block rules for Zimbra seem to be the same as fail2ban.
It did not trigger any single event hit from the free blocklists.
On a second webhost-server there are minor alerts such as HTTP-probing or bad-user-agent. But nothing severe.
Would be interested hearing from your experience. Probably it is just me?

E: When my zimbra was under attack with brute force attack. It is was notable, that the IPs from the attacking clients changed very quickly. This is why my fail2ban failed.

This post was modified 12 months ago by mik

   
ReplyQuote