Konfigurasi Firewalld dan Fail2ban pada zimbra 8.7.x di Centos 7

Fail2Ban

Fail2ban merupakan aplikasi yang beroperasi untuk memantau file log, menggunakan bahasa pemrograman python. Baris log yang terindikasi fail nanti akan di ban sesuai konfigurasi yang di atur. Ada 3 dasar operasional, filter log, pengaturan, dan action.

Filter log bekerja sesuai pengaturan yang di set pada regex. Setelah itu masuk kedalam sistem pengaturan yang berisi berapa kali log yang terbaca sesuai regex diperbolehkan dll. Ketika sudah sama dengan atau melebihi pengaturan, secara otomatis ip tersebut akan di ban pada proses action di firewalld dengan proses drop atau reject.

Berikut langkah-langkah konfigurasi

1. Instalasi

Instalasi menggunakan perintah berikut(user: root)

yum -y install fail2ban ipset

2. Konfigurasi Action Firewalld

Backup terlebih dahulu file firewallcmd-ipset.conf

cp /etc/fail2ban/action.d/firewallcmd-ipset.conf /etc/fail2ban/action.d/firewallcmd-ipset.conf.backup

hapus isi firewallcmd-ipset.conf

> /etc/fail2ban/action.d/firewallcmd-ipset.conf

edit file firewallcmd-ipset.conf

nano /etc/fail2ban/action.d/firewallcmd-ipset.conf

, kemudian isi dengan berikut

# Fail2Ban action file for firewall-cmd/ipset
#
# This requires:
# ipset (package: ipset)
# firewall-cmd (package: firewalld)
#
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
# Use ipset -V to see the protocol and version.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules.

#[INCLUDES]

#before = iptables-common.conf

[Definition]

actionstart = firewall-cmd --permanent --new-ipset=fail2ban-<name> --type=hash:ip
              firewall-cmd --permanent --add-rich-rule='rule source ipset=fail2ban-<name> drop'
              firewall-cmd --reload
              if [ -f /etc/fail2ban/ip.blacklist ]; then cat /etc/fail2ban/ip.blacklist | grep -e $ | cut -d "," -s -f 1 | while read IP; do firewall-cmd --ipset=fail2ban-<name> --add-entry=$IP; done; fi

actionstop = firewall-cmd --permanent --remove-rich-rule='rule source ipset=fail2ban-<name> drop'
             firewall-cmd --permanent --delete-ipset=fail2ban-<name>
             firewall-cmd --reload

actionban = firewall-cmd --ipset=fail2ban-<name> --add-entry=<ip>
            if ! grep -Fxq '<ip>,' /etc/fail2ban/ip.blacklist; then echo <ip>',' >> /etc/fail2ban/ip.blacklist; fi

actionunban = firewall-cmd --ipset=fail2ban-<name> --remove-entry=<ip>

[Init]

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  [ STRING ]
#
#chain = INPUT_direct

# Option: bantime
# Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
# Values:  [ NUM ]  Default: 600

#bantime = 600


# DEV NOTES:
#
# Author: Abdurachman Saad
# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness

Simpan file tersebut

Buat file ip.blacklist untuk menampung ip yang terblacklist

touch /etc/fail2ban/ip.blacklist

3. Konfigurasi jail.conf

Buka file jail.conf

nano /etc/fail2ban/jail.conf

Masukkan pada baris paling bawah dengan berikut

[zimbra-account]
enabled = true
filter = zimbra
action = firewallcmd-ipset[name=zimbra-account]
sendmail[name=Zimbra-account, dest=alert@saad.web.id]
logpath = /opt/zimbra/log/mailbox.log
bantime = -1
maxretry = 4

[zimbra-audit]
enabled = true
filter = zimbra
action = firewallcmd-ipset[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=alert@saad.web.id]
logpath = /opt/zimbra/log/audit.log
bantime = -1
maxretry = 2

Kemudian simpan file tersebut

4. Konfigurasi Filter

Buat file baru dengan nama zimbra.conf

nano /etc/fail2ban/filter.d/zimbra.conf

kemudian isi dengan berikut

[Definition]

failregex = \[ip=<HOST>;\] account – authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security – cmd=Auth; .* error=authentication failed for .*, invalid password;$
\[ip=<HOST>;\] security – cmd=AdminAuth; .* error=authentication failed for .*, invalid password;$
\[ip=<HOST>;\] security – cmd=Auth; .* error=authentication failed for .*, account lockout$
\[ip=<HOST>;\] account – authentication failed for .* \(account lockout\)$
;oip=<HOST>;.* security – cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine – handler exception: authentication failed for .*, account not found$
WARN .*ip=<HOST>;ua=ZimbraWebClient .* security – cmd=AdminAuth; .* error=authentication failed for .*;$
INFO .*ip=<HOST>;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

ignoreregex = 

Restart service dan buat autorun fail2ban

systemctl restart fail2ban
systemctl enable fail2ban

Untuk melihat total semua rule fail2ban yang aktif dengan perintah

fail2ban-client status

Untuk melihat status log terfilter dan ip yang ter banned dengan perintah
Untuk status zimbra account

fail2ban-client status zimbra-account

Untuk status zimbra audit

fail2ban-client status zimbra-audit

Untuk mengecek match atau tidak dengan regex

fail2ban-regex  /opt/zimbra/log/mailbox.log /etc/fail2ban/filter.d/zimbra.conf

dan

fail2ban-regex  /opt/zimbra/log/audit.log /etc/fail2ban/filter.d/zimbra.conf

Monitoring log fail2ban

tail -f /var/log/fail2ban.log

5. Whitelist IP Address

Untuk whitelist ip address,
langkah pertama. tambahkan ip pada ignore jail.conf

nano /etc/fail2ban/jail.conf

Mis. ip address yang akan di whitelist 111.222.333.444, di beri jarak spasi

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 111.222.333.444

langkah kedua delete ip address yang akan di whitelist pada file ip.blacklist

nano /etc/fail2ban/ip.blacklist

langkah ketiga, restart service

systemctl restart fail2ban

6. Check Firewalld

Untuk dapat melihat ip yang terdaftar pada firewalld dengan perintah
Untuk zimbra-account

firewall-cmd --info-ipset=fail2ban-zimbra-account

Untuk zimbra-audit

firewall-cmd --info-ipset=fail2ban-zimbra-audit

Untuk remove ip dari ipset firewalld dengan perintah (mis ip: 222.333.444.555)
Untuk zimbra-account

firewall-cmd --ipset=fail2ban-zimbra-account --remove-entry=222.333.444.555

Untuk zimbra-audit

firewall-cmd --ipset=fail2ban-zimbra-audit --remove-entry=222.333.444.555

Selesai

Note:
Penggunaan ipset hanya support pada firewalld versi 0.4. Untuk cek versi firewalld yang digunakan. Menggunakan perintah berikut

yum info firewalld

Maka hasilnya sebagai berikut

Installed Packages
Name        : firewalld
Arch        : noarch
Version     : 0.4.4.4
Release     : 14.el7
Size        : 1.8 M
Repo        : installed
From repo   : base
Summary     : A firewall daemon with D-Bus interface providing a dynamic firewall
URL         : http://www.firewalld.org
License     : GPLv2+
Description : firewalld is a firewall service daemon that provides a dynamic customizable
            : firewall with a D-Bus interface.

Selamat Mencoba

Please follow and like us:

Enjoy this blog? Please spread the word :)

WhatsApp us