Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » mail » zimbra » zimbra_firewall
Trace:
internet:mail:zimbra:zimbra_firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
internet:mail:zimbra:zimbra_firewall [2022/10/07 09:27]
gcooper 		internet:mail:zimbra:zimbra_firewall [2023/11/13 08:53] (current)
gcooper
Line 1: Line 1:
 ====== Zimbra Firewall ====== ====== Zimbra Firewall ======
 +
 +FIXME This page could probably use a review and updating.
  
 **Zimbra IP Ports Used**: http://wiki.zimbra.com/wiki/Ports **Zimbra IP Ports Used**: http://wiki.zimbra.com/wiki/Ports
Line 39: Line 41:
 http://syslint.com/syslint/how-to-configure-zimbra-csf-the-best-zimbra-firewall-configuration/ http://syslint.com/syslint/how-to-configure-zimbra-csf-the-best-zimbra-firewall-configuration/
  
-:!: Reload or restart CSF and LFD for changes to be activated.+:!: Reload or restart CSF and LFD for changes to be activated (''csf -ra'').
  
 ==== Postfix ==== ==== Postfix ====
  
-**RegEx Tester**: https://www.regextester.com/+**RegEx Tester**: https://www.regex101.com/
  
 **Reference**: https://cloudpro.zone/index.php/2018/03/28/csf-lfd-regular-expressions/ **Reference**: https://cloudpro.zone/index.php/2018/03/28/csf-lfd-regular-expressions/
  
-<note warning>Zimbra uses Postfix and Postfix is not directly supported by CSF, so we have to use a custom regex for LFD (log failure daemon). +<note warning>Zimbra uses Postfix and Postfix is not directly supported by CSF, so we have to use a custom regex for LFD (log failure daemon).  Note that the Postfix log format seems to change infrequently, so your custom regex may only work until the next log format change.</note>
- +
-Note that the Postfix log format seems to change sometimes, so your custom regex may only work until the next log format change.</note>+
  
 Consider these lines clipped from ''/var/log/mail.log'': Consider these lines clipped from ''/var/log/mail.log'':
Line 55: Line 55:
 <file> <file>
 Oct  2 08:18:04 zimbra3 postfix/submission/smtpd[3670673]: warning: unknown[93.177.75.130]: SASL LOGIN authentication failed: authentication failure Oct  2 08:18:04 zimbra3 postfix/submission/smtpd[3670673]: warning: unknown[93.177.75.130]: SASL LOGIN authentication failed: authentication failure
- 
 Oct  5 14:27:13 zimbra3 postfix/smtps/smtpd[3656293]: warning: unknown[102.164.206.139]: SASL PLAIN authentication failed: authentication failure Oct  5 14:27:13 zimbra3 postfix/smtps/smtpd[3656293]: warning: unknown[102.164.206.139]: SASL PLAIN authentication failed: authentication failure
 </file> </file>
  
-Add a custom RegEx to detect authentication failures (5 failures, block ports 25 and 587, for 3600 seconds):+Add a custom RegEx to detect authentication failures (5 failures, block ports 25 and 587, for 3600 seconds/1 hour):
  
 <file> <file>
Line 73: Line 72:
 </file> </file>
  
-:!: $1 matches the offending IP address.+:!: Group 1 ($1matches the offending IP address.
  
 Now, edit the CSF configuration to tell it to monitor the proper log file for the new RegEx: Now, edit the CSF configuration to tell it to monitor the proper log file for the new RegEx:
Line 124: Line 123:
 udp|out|d=53|| # Outbound DNS query with random source port udp|out|d=53|| # Outbound DNS query with random source port
  
-# Zimbra Docs+# Zimbra Zextras Docs Server
 tcp|in|d=389|s=98.167.189.29   # Allow LDAP from Zimbra Zextras Docs tcp|in|d=389|s=98.167.189.29   # Allow LDAP from Zimbra Zextras Docs
 tcp|in|d=8443|s=98.167.189.29  # Allow from Zimbra Zextras Docs tcp|in|d=8443|s=98.167.189.29  # Allow from Zimbra Zextras Docs
Line 130: Line 129:
  
 # LDAP Testing # LDAP Testing
-tcp|in|d=389|s=192.168.1.46     # Allow LDAP from a workstation+tcp|in|d=389|s=192.168.1.46    # Allow LDAP from a workstation
 </file> </file>
  
Line 321: Line 320:
  
 <file> <file>
-diff --unchanged-line-format= --old-line-format= --new-line-format='%L' /root/csf/csf.conf /etc/csf/csf.conf | grep -v \#+diff --unchanged-line-format= --old-line-format= --new-line-format='%L' /usr/local/csf/profiles/reset_to_defaults.conf /etc/csf/csf.conf | grep -v \#
 </file> </file>
 +
 +:!: This example is for Ubuntu 20.04 with Zimbra 9.
  
 <file> <file>
 TESTING = "0" TESTING = "0"
 RESTRICT_SYSLOG = "3" RESTRICT_SYSLOG = "3"
-TCP_IN = "22,25,80,110,143,443,465,587,993,995,5222:5223,7071,8443+TCP_IN = "20,21,25,53,80,110,143,443,465,587,993,995,2222,7071,10000:10010,20000,24441,59000:59999
-TCP_OUT = "22,25,53,80,110,113,143,443,465,587,993,995,7071"+TCP_OUT = "22,25,53,80,110,113,143,443,465,587,993,995,2222,7071,9980"
 UDP_IN = "53,123" UDP_IN = "53,123"
 UDP_OUT = "53,113,123,33434:33523" UDP_OUT = "53,113,123,33434:33523"
 +ICMP_IN_RATE = "0"
 IPV6 = "1" IPV6 = "1"
-TCP6_IN = "22,25,80,110,143,443,465,587,993,995,2222,5222:5223,7071,8443+TCP6_IN = "20,21,25,53,80,110,143,443,465,587,993,995,2222,7071,10000:10010,20000,24441,59000:59999
-TCP6_OUT = "22,25,53,80,110,113,143,443,465,587,993,995,2222,7071"+TCP6_OUT = "22,53,80,110,113,143,443,465,587,993,995,2222,7071"
 UDP6_IN = "53,123" UDP6_IN = "53,123"
 UDP6_OUT = "53,113,123,33434:33523" UDP6_OUT = "53,113,123,33434:33523"
-USE_CONNTRACK = "1" 
 SYSLOG_CHECK = "600" SYSLOG_CHECK = "600"
-DENY_IP_LIMIT = "1000"+DENY_IP_LIMIT = "5000"
 DENY_TEMP_IP_LIMIT = "1000" DENY_TEMP_IP_LIMIT = "1000"
 LF_IPSET = "1" LF_IPSET = "1"
 STYLE_CUSTOM = "1" STYLE_CUSTOM = "1"
 SMTP_ALLOWUSER = "" SMTP_ALLOWUSER = ""
-SYNFLOOD = "1" +CONNLIMIT = "80;60,110;10,143;10,443;60,465;10,587;10,993;10,995;10
-CONNLIMIT = "80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5+PORTFLOOD = "80;tcp;70;5,110;tcp;20;5,143;tcp;20;5,443;tcp;70;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5
-PORTFLOOD = "80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5" +UDPFLOOD_ALLOWUSER = "named,zimbra" 
-DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520"+DROP_IP_LOGGING = "1
 +DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520,5678" 
 +DROP_PF_LOGGING = "1"
 CONNLIMIT_LOGGING = "1" CONNLIMIT_LOGGING = "1"
 LF_PERMBLOCK_COUNT = "2" LF_PERMBLOCK_COUNT = "2"
 +LF_PERMBLOCK_ALERT = "0"
 LF_NETBLOCK = "1" LF_NETBLOCK = "1"
 +LF_NETBLOCK_COUNT = "2"
 +LF_NETBLOCK_ALERT = "0"
 SAFECHAINUPDATE = "1" SAFECHAINUPDATE = "1"
 DYNDNS = "600" DYNDNS = "600"
 +MM_LICENSE_KEY = "xxxxxxxxxxxxxxx"
 +CC_SRC = "1"
 +CC_DENY = "RU,BY,CN,AF"
 +CC_DENY_PORTS_TCP = "21,22,110,143,587,993,995,2222"
 +CC_DENY_PORTS_UDP = "5060,5061,10000:20000"
 +CC_INTERVAL = "7"
 LF_SELECT = "1" LF_SELECT = "1"
 LF_EMAIL_ALERT = "0" LF_EMAIL_ALERT = "0"
 LF_SSHD_PERM = "600" LF_SSHD_PERM = "600"
 LF_FTPD_PERM = "600" LF_FTPD_PERM = "600"
-LF_SMTPAUTH = "10" 
 LF_SMTPAUTH_PERM = "600" LF_SMTPAUTH_PERM = "600"
 +LF_POP3D = "5"
 LF_POP3D_PERM = "600" LF_POP3D_PERM = "600"
-LF_IMAPD_PERM = "600"+LF_IMAPD = "5"
 LF_HTACCESS_PERM = "600" LF_HTACCESS_PERM = "600"
 LF_MODSEC_PERM = "600" LF_MODSEC_PERM = "600"
Line 369: Line 381:
 LF_WEBMIN = "10" LF_WEBMIN = "10"
 LF_WEBMIN_PERM = "600" LF_WEBMIN_PERM = "600"
-LF_WEBMIN_EMAIL_ALERT = "0" 
-LF_CONSOLE_EMAIL_ALERT = "0" 
 LF_APACHE_404 = "100" LF_APACHE_404 = "100"
 LF_APACHE_403 = "100" LF_APACHE_403 = "100"
 +LF_APACHE_401_PERM = "3600"
 +LF_MODSECIPDB_ALERT = "0"
 +LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"
 LF_DISTATTACK = "1" LF_DISTATTACK = "1"
 LF_DISTFTP = "5" LF_DISTFTP = "5"
Line 386: Line 399:
 MESSENGER_HTTPS_KEY = "/etc/pki/tls/private/localhost.key" MESSENGER_HTTPS_KEY = "/etc/pki/tls/private/localhost.key"
 MESSENGER_HTTPS_CRT = "/etc/pki/tls/certs/localhost.crt" MESSENGER_HTTPS_CRT = "/etc/pki/tls/certs/localhost.crt"
 +MESSENGER_HTTPS_IN = ""
 +MESSENGER_CHILDREN = "10"
 +MESSENGERV3LOCATION = "/etc/httpd/conf.d/"
 +MESSENGERV3RESTART = "service httpd restart"
 +MESSENGERV3HTTPS_CONF = "/etc/httpd/conf/httpd.conf"
 +MESSENGERV3GROUP = "apache"
 +CLUSTER_SENDTO = "198.167.189.18,198.167.189.19,198.167.189.20,198.167.189.25,198.167.189.26,198.167.189.28,198.167.189.29,198.167.189.30,143.110.234.14"
 +CLUSTER_RECVFROM = "198.167.189.18,198.167.189.19,198.167.189.20,198.167.189.25,198.167.189.26,198.167.189.28,198.167.189.29,198.167.189.30,143.110.234.14"
 +CLUSTER_MASTER = "198.167.189.18"
 +CLUSTER_KEY = "MyLFDClusterKey"
 +CLUSTER_CONFIG = "1"
 ST_SYSTEM = "0" ST_SYSTEM = "0"
 +IPTABLES = "/usr/sbin/iptables"
 +IPTABLES_SAVE = "/usr/sbin/iptables-save"
 +IPTABLES_RESTORE = "/usr/sbin/iptables-restore"
 +IP6TABLES_SAVE = "/usr/sbin/ip6tables-save"
 +IP6TABLES_RESTORE = "/usr/sbin/ip6tables-restore"
 +MODPROBE = "/usr/sbin/modprobe"
 +IFCONFIG = "/usr/sbin/ifconfig"
 SENDMAIL = "/opt/zimbra/common/sbin/sendmail" SENDMAIL = "/opt/zimbra/common/sbin/sendmail"
-HTACCESS_LOG = "/var/log/httpd/error_log" +PS = "/usr/bin/ps" 
-MODSEC_LOG = "/var/log/httpd/error_log"+NETSTAT = "/usr/bin/netstat" 
 +LS = "/usr/bin/ls" 
 +TAR = "/usr/bin/tar" 
 +GUNZIP = "/usr/bin/gunzip" 
 +DD = "/usr/bin/dd" 
 +GREP = "/usr/bin/grep" 
 +IP = "/usr/sbin/ip" 
 +HTACCESS_LOG = "/var/log/apache2/error_log" 
 +MODSEC_LOG = "/var/log/apache2/error_log
 +SSHD_LOG = "/var/log/auth.log" 
 +SU_LOG = "/var/log/syslog" 
 +FTPD_LOG = "/var/log/syslog"
 SMTPAUTH_LOG = "/var/log/secure" SMTPAUTH_LOG = "/var/log/secure"
-CUSTOM1_LOG = "/var/log/maillog"+POP3D_LOG = "/var/log/mail.log" 
 +IMAPD_LOG = "/var/log/mail.log" 
 +IPTABLES_LOG = "/var/log/syslog" 
 +SUHOSIN_LOG = "/var/log/syslog" 
 +BIND_LOG = "/var/log/syslog" 
 +SYSLOG_LOG = "/var/log/syslog" 
 +WEBMIN_LOG = "/var/log/auth.log" 
 +CUSTOM1_LOG = "/var/log/mail.log" 
 +PORTS_pop3d = "25,110,143,465,587,993,995" 
 +PORTS_imapd = "25,110,143,465,587,993,995" 
 +PORTS_sshd = "22,2222"
 GENERIC = "1" GENERIC = "1"
 </file> </file>
  
internet/mail/zimbra/zimbra_firewall.1665156463.txt.gz · Last modified: 2022/10/07 09:27 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki