A firewall is a network security mechanism that monitors incoming and outgoing network traffic and permits or blocks data packets based on a set of security rules. Its purpose is to establish a barrier between your internal network and incoming traffic from external sources (such as the internet).
Firewalls analyze incoming traffic based on pre-established rules and filter traffic coming from unsecured or suspicious sources to prevent attacks.
In this article, we will discuss firewalls on Zimbra servers, their importance, and see how to set them up to prevent specific attacks.
Firewall in Zimbra Servers
Zimbra server has several ports in action that are used for various purposes of communication. Some are significant for public communication and some are significant for local communication. At the very beginning, all ports are open for all by default. This can cause/create unwanted vulnerabilities in the Zimbra server. That’s why we need to restrict the connection of these ports as per our requirement.
It means that the HTTP port should only be used by local users, in other words, port 80 should only be accessible by local users, otherwise, an open port 80 can cause security threats/vulnerabilities in the Zimbra server.
We will describe the details of various ports later in this article.
How Hackers Exploit Open Ports
If a firewall has marked a port closed then it will immediately discard any packets with that destination port number.
If the port is not marked closed, then it will check to see if there is an application that has registered itself to receive packets sent to that port number (like the web server in the previous example). If there is no program, the packet will still be discarded.
How the hacker can make use of an open port relies completely on there being an insecure program on your computer. For example, if a packet arrives destined for port 80, and there is an application listening for communication on port 80 and that application can be taken over by sending it certain information – then a hacker that knows about this vulnerability (or using a tool that knows about it) can take over that program.
How to Properly Set Up Firewalls on Zimbra Servers
In an open-source environment, a firewall plays a crucial role to secure the system. When we set up a Zimbra server, we should set policy against it’s all necessary ports so that we can secure them from any unwanted vulnerability.
As per Zimbra’s official guidelines, below mentioned ports are considered as standard:
|HTTP||80||TCP||should probably be limited by a firewall to your local network only|
|POP3||110||TCP||should probably be limited by a firewall to your local network only|
|IMAP||143||TCP||should probably be limited by a firewall to your local network only|
|LDAP||389||TCP||should probably be limited by a firewall to your local network only|
|Admin Interface||7071||TCP||should probably be limited by a firewall to your local network only|
|SOAP Auth||7073||TCP||should probably be limited by a firewall to your local network only|
|LMTP||7025||TCP||should probably be limited by a firewall to your local network only|
To allow access to your management subnet xxx.xxx.xxx.xxx/yy
ufw allow from x.x.x.x/y
and in the
/etc/ufw/applications.d/zimbra file, include
title=Zimbra Collaboration Server description=Open source server for email, contacts, calendar, and more. ports=25,80,110,143,443,465,587,993,995,3443,5222,5223,7071,9071/tcp
ufw allow Zimbra ufw enable ufw status
What is a Memchached Attack?
As open-source software, Memcached could be vulnerable to attacks. This became apparent in 2018 when a new form of DDoS attack was launched. Cyber attackers sent spoof requests, which mask the real identity of a sender by cloaking their IP address, to a vulnerable UDP Memcached server.
A UDP, or User Datagram Protocol, is particularly vulnerable as it allows data to be transferred before the end receiving party agrees to the communication, for example, a quick video playback. Hackers sent these spoof requests to the server, flooding the victims with high volumes of traffic and crashing the servers.
As with traditional DDoS attacks, Memcached attacks result in an overloaded server, denying service to genuine website users.
Configure Firewall to Protect Zimbra Servers from Memcached Attacks:
In a single server environment, you can configure Memcached to listen only on
127.0.0.1 to avoid these attacks
su - zimbra /opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1 /opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1