Hi Group,
I have an uptick of accounts being locked out due to continuous brut force attempts on the server. Is anyone successfully using something to help mitigate this? I was thinking maybe fail2ban?
Hi, I use CSF to mitigate those type of attacks.
JG
Hi, I use CSF to mitigate those type of attacks.
JG
I am using both zmauditswatch and fail2ban
it is a bit tricky to configure fail2ban but there is good reviews on the zimbra community forums or some blogs.
I strongly second CSF with LFD. A bit of a learning curve, but well worth it. I think CSF with LFD is much easier and more reliable that Fail2Ban.
https://virtualarchitects.com/wiki/doku.php?id=internet:mail:zimbra:zimbra_firewall
I have quite a few hosts in my CSF cluster...a really powerful feature. I have not (yet) found it useful for Docker hosts.
You will need to tweak it for your OS version and Zimbra, but that's the nature of security tools. I can help with Ubuntu + Zimbra 9 OSE, if you have specific questions.
G
I use CROWDSEC, it’s supposed to do a better job than Fail2ban. Just remember to change port 8080.
@bellux After you have installed Crowdsec you will have to change the listen port from the default port 8080. I have changed mine to port 8085.
Edit the config.yaml file: nano /etc/crowdsec/config.yaml
And change the following line: listen_uri: 127.0.0.1:8085
Do the same, change the port number from 8080 to 8085 in the following two config files:
/etc/crowdsec/local_api_credentials.yaml
/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
Just remeber that every time you update crowdsec, there is a change that you will have to edit the config files again. 🙂
@x1m podrías compartir con nosotros como lograste hacer funcionar crowdsec con carbonio CE? gracias de antemano
I use CROWDSEC, it’s supposed to do a better job than Fail2ban. Just remember to change port 8080.
I am rather underwhelmed by CrowdSec. The block rules for Zimbra seem to be the same as fail2ban.
It did not trigger any single event hit from the free blocklists.
On a second webhost-server there are minor alerts such as HTTP-probing or bad-user-agent. But nothing severe.
Would be interested hearing from your experience. Probably it is just me?
E: When my zimbra was under attack with brute force attack. It is was notable, that the IPs from the attacking clients changed very quickly. This is why my fail2ban failed.