This is an old revision of the document!
Zimbra IP Ports Used: http://wiki.zimbra.com/wiki/Ports
Test Your Firewall: http://scanme.firebind.com/applet.html
Make sure your Zimbra server is working well before implementing a firewall. Suspect the firewall if something stops working or isn't working properly.
http://wiki.zimbra.com/wiki/Firewall_Configuration
Clustering requires additional ports.
Need modify and verify this:
iptables -F #Flush current rules iptables -I INPUT -p tcp --dport 22 -j ACCEPT #SSH iptables -I INPUT -p tcp --dport 25 -j ACCEPT #SMTP iptables -I INPUT -p tcp --dport 80 -j ACCEPT #HTTP (for webmail) iptables -I INPUT -p tcp --dport 110 -j ACCEPT #POP3 iptables -I INPUT -p tcp --dport 143 -j ACCEPT #IMAP iptables -I INPUT -p tcp --dport 443 -j ACCEPT #HTTPS iptables -I INPUT -p tcp --dport 465 -j ACCEPT #SMTPS iptables -I INPUT -p tcp --dport 587 -j ACCEPT #MSA (submission) iptables -I INPUT -p tcp --dport 993 -j ACCEPT #IMAPS iptables -I INPUT -p tcp --dport 995 -j ACCEPT #POP3S iptables -I INPUT -p tcp --dport 7071 -j ACCEPT #Port for ZCS Web Administration /etc/init.d/iptables save #Rules persist after reboot
Unfinished
See also ConfigServer Security & Firewall (CSF)
http://syslint.com/syslint/how-to-configure-zimbra-csf-the-best-zimbra-firewall-configuration/
Reload or restart CSF and LFD for changes to be activated.
RegEx Tester: https://www.regextester.com/
Reference: https://cloudpro.zone/index.php/2018/03/28/csf-lfd-regular-expressions/
Note that the Postfix log format seems to change frequently, so your custom regex will only work until the next log format change.
Consider this line clipped from /var/log/mail.log
:
Sep 4 06:09:43 zimbra3 postfix/smtps/smtpd[585833]: warning: unknown[142.163.55.66]: SASL LOGIN authentication failed: authentication failure
Add a custom RegEx to detect authentication failures (5 failures, block ports 25 and 587, for 3600 seconds):
vim /usr/local/csf/bin/regex.custom.pm
Insert in the middle, between the comments:
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ .* postfix\/s.*\/smtpd\[\d+\]: warning: .*\[(\d+\.\d+\.\d+\.\d+)\]: SASL (LOGIN|PLAIN|login) authentication failed.*/)) { return ("Failed SASL login from",$1,"mysaslmatch","5","25,587","3600"); }
$1 matches the offending IP address.
Variants for older log formats:
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/[A-Za-z]*?\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Za-z]*? authentication failed.*/)) { return ("Failed SASL login from",$2,"mysaslmatch","5","25,587","3600"); }
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) { return ("Failed SASL login from",$1,"mysaslmatch","3","25","600"); }
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+:\d+:\d+,\d+\s+\w{4}\s+\[.*oip=(\d+\.\d+\.\d+\.\d+);\]\s+security\s.*invalid password.*/)) { return ("Failed SASL login from",$1,"mysaslmatch","5","25,587","3600"); }
Now, edit the CSF configuration to tell it to monitor the proper log file for the new RegEx:
vim /etc/csf/csf.conf
Change:
CUSTOM1_LOG = "/var/log/mail.log"
############################################################################### # Copyright 2006-2014, Way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ############################################################################### # The following IP addresses will be allowed through iptables. # One IP address per line. # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24). # Only list IP addresses, not domain names (they will be ignored) # # Advanced port+ip filtering allowed with the following format # tcp/udp|in/out|s/d=port|s/d=ip # See readme.txt for more information # # Note: IP addressess listed in this file will NOT be ignored by lfd, so they # can still be blocked. If you do not want lfd to block an IP address you must # add it to csf.ignore 192.168.0.0/24 # csf SSH installation/upgrade IP address - Sat Nov 8 14:46:55 2014 10.1.1.9 # NFS backup server 10.1.1.40 # Manually allowed 78.123.35.134 # Manually allowed 49.312.33.99 # Manually allowed tcp|in|d=25|s=174.37.170.192/27 # GDI Spam Filter Servers tcp|in|d=25|s=174.36.242.64/27 # GDI Spam Filter Servers tcp|in|d=25|s=208.43.201.128/27 # GDI Spam Filter Servers tcp|in|d=25|s=67.225.140.128/26 # GDI Spam Filter Servers tcp|in|d=25|s=50.201.66.0/24 # GDI Spam Filter Servers udp|out|d=53|| # Outbound DNS query with random source port
These entries will minimize Process Tracking false alerts (entries for multiple Zimbra versions):
############################################################################### # The following is a list of executables (exe) command lines (cmd) and # usernames (user) that lfd process tracking will ignore. # # You must use the following format: # # exe:/full/path/to/file # user:username # cmd:command line # # Or, perl regular expression matching (regex): # # pexe:/full/path/to/file as a perl regex[*] # puser:username as a perl regex[*] # pcmd:command line as a perl regex[*] # # [*]You must remember to escape characters correctly when using regex's, e.g.: # pexe:/home/.*/public_html/cgi-bin/script\.cgi # puser:bob\d.* # pcmd:/home/.*/command\s\to\smatch\s\.pl\s.* # # It is strongly recommended that you use command line ignores very carefully # as any process can change what is reported to the OS. # # For more information see readme.txt exe:/usr/lib/courier-imap/bin/pop3d exe:/usr/lib/courier-imap/bin/imapd exe:/usr/sbin/pure-ftpd exe:/usr/local/apache/bin/httpd exe:/usr/sbin/sshd exe:/usr/sbin/proftpd exe:/usr/libexec/dovecot/imap exe:/usr/libexec/dovecot/pop3 exe:/usr/sbin/named exe:/usr/sbin/ntpd exe:/bin/dbus-daemon exe:/usr/sbin/ntpd exe:/usr/sbin/exim4 exe:/sbin/ntpd exe:/usr/libexec/dovecot/pop3 exe:/usr/libexec/dovecot/imap exe:/usr/local/libexec/dovecot/pop3 exe:/usr/local/libexec/dovecot/pop3-login exe:/usr/local/libexec/dovecot/imap exe:/usr/local/libexec/dovecot/imap-login exe:/usr/sbin/rpcbind exe:/usr/sbin/rpc.statd exe:/usr/sbin/chronyd exe:/usr/bin/lsmd exe:/usr/bin/dbus-daemon exe:/opt/zimbra/common/libexec/smtp exe:/opt/zimbra/common/libexec/proxymap exe:/opt/zimbra/common/libexec/smtpd exe:/opt/zimbra/common/libexec/postscreen exe:/opt/zimbra/common/sbin/nginx exe:/opt/zimbra/common/libexec/showq exe:/opt/zimbra/common/libexec/trivial-rewrite exe:/opt/zimbra/common/libexec/anvil exe:/opt/zimbra/common/libexec/tlsmgr exe:/opt/zimbra/common/libexec/qmgr exe:/opt/zimbra/common/libexec/pickup exe:/opt/zimbra/common/libexec/cleanup exe:/opt/zimbra/common/libexec/bounce cmd:/usr/bin/vmstat -n -S K 30 cmd:/usr/lib/polkit-1/polkitd --no-debug cmd:/bin/bash /opt/zimbra/bin/zmloggerctl status norewrite cmd:/bin/bash /opt/zimbra/bin/zmconfigdctl start norewrite cmd:/bin/bash /opt/zimbra/bin/zmopendkimctl status norewrite cmd:/bin/bash /opt/zimbra/bin/zmstorectl status norewrite cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogger cmd:zmlogger: zmrrdfetch: server cmd:lmtp -t unix -u cmd:/opt/zimbra/java/bin/java -version cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogprocess cmd:/usr/bin/perl /opt/zimbra/bin/zmcontrol status cmd:/usr/bin/perl /opt/zimbra/libexec/zmstatuslog cmd:/usr/bin/python -S /usr/lib/mailman/cron/gate_news cmd:/usr/bin/perl -T -w /opt/zimbra/zimbramon/bin/sa-update -v --allowplugins --refreshmirrors cmd:/usr/bin/perl -T -w /opt/zimbra/common/bin/sa-update -v --allowplugins --refreshmirrors cmd:/opt/zimbra/common/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf cmd:/opt/zimbra/common/sbin/clamd --config-file=/opt/zimbra/conf/clamd.conf cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services msg-forwarder cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services childproc-minder cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services snmp-responder cmd:/usr/bin/perl -T /opt/zimbra/common/sbin/amavis-mc cmd:nginx: worker process cmd:nginx: master process /opt/zimbra/common/sbin/nginx -c /opt/zimbra/conf/nginx.conf cmd:/opt/zimbra/common/sbin/unbound cmd:/opt/zimbra/common/bin/mdb_stat -e /opt/zimbra/data/ldap/mdb/db cmd:/opt/zimbra/common/libexec/slapd -l LOCAL0 -u zimbra -h ldap://zimbra.virtualarchitects.com:389 ldapi:/// -F /opt/zimbra/data/ldap/config cmd:/opt/zimbra/common/sbin/saslauthd -r -a zimbra cmd:/opt/zimbra/common/sbin/opendkim -x /opt/zimbra/conf/opendkim.conf -u zimbra cmd:/opt/zimbra/common/libexec/scache cmd:/opt/zimbra/common/bin/java -version cmd:/bin/bash /opt/zimbra/bin/zmhostname cmd:/bin/bash /opt/zimbra/bin/zmlocalconfig -m nokey zimbra_server_hostname cmd:/bin/bash /opt/zimbra/bin/zmantispamctl status pcmd:sh -c /opt/zimbra/bin/zmantivirusctl.* pcmd:/bin/bash /opt/zimbra/bin/zmantivirusctl.* pcmd:/usr/bin/perl -T -w /opt/zimbra/libexec/sa-learn.* pcmd:/bin/bash /opt/zimbra/bin/zmjava.* pcmd:/bin/bash /opt/zimbra/bin/zmlocalconfi.* pcmd:/usr/bin/perl /opt/zimbra/libexec/zmdailyreport.* pcmd:/bin/bash -c /opt/zimbra/libexec/zmlogprocess.* pcmd:sh -c /opt/zimbra/bin/zmantispamct.* pcmd:/bin/bash /opt/zimbra/bin/zmantispamct.* pcmd:/usr/bin/iostat -d -k.* pcmd:/usr/bin/perl -w /opt/zimbra/libexec/zmstat-.* pcmd:/usr/bin/perl -T -w /opt/zimbra/common/bin/sa-lear.* pcmd:/opt/zimbra/libexec/logswatch --config-file=/opt/zimbra.* pcmd:/bin/sh /opt/zimbra/common/bin/mysqld_safe --defaults-file=/opt.* pcmd:/opt/zimbra/common/sbin/mysqld --defaults-file=/opt.* pcmd:/opt/zimbra/common/sbin/amavis.* pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Djava.net.preferIPv4Stack=true.* pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Dzimbra.home=/opt/zimbra.* pcmd:/opt/zimbra/java/bin/java -Dfile.encoding=UTF-8 -server -Djava.awt.headless=true.* pcmd:/opt/zimbra/java/bin/java -client -cp /opt/zimbra/lib/jars.* pcmd:/opt/zimbra/common/lib/jvm/java/bin/java -XX:ErrorFile.* pcmd:/usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc.* pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.* pcmd:/bin/bash /opt/zimbra/bin/zmconfigdctl .* pcmd:/bin/bash -c /opt/zimbra/libexec/zmstatuslog .* pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatchdog_scrip.* pcmd:/usr/bin/perl /opt/zimbra/common/bin/swatchdog.* pcmd:/opt/zimbra/common/bin/swatchdog --config-file=/opt/zimbra/conf/logswatchrc.* pcmd:/opt/zimbra/common/bin/rotatelogs /opt/zimbra/log/httpd.* pcmd:/opt/zimbra/common/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.* pcmd:/opt/zimbra/common/bin/java -client -cp /opt/zimbra/lib/jars/zimbracommon.* pcmd:/opt/zimbra/common/bin/java -Dfile.encoding=UTF-8 -server -Djava.awt.headless.* pcmd:/opt/zimbra/common/bin/memcached -d -P /opt/zimbra/log/memcached.pid.* pexe:/opt/zimbra/postfix-.*/libexec/lmtp pexe:/opt/zimbra/postfix-.*/libexec/smtpd pexe:/opt/zimbra/postfix-.*/libexec/proxymap pexe:/opt/zimbra/httpd-.*/bin/rotatelogs pexe:/opt/zimbra/httpd-.*/bin/httpd pexe:/opt/zimbra/cyrus-sasl-.*/sbin/saslauthd pexe:/opt/zimbra/postfix-.*/libexec/showq pexe:/opt/zimbra/unbound-.*/sbin/unbound pexe:/opt/zimbra/memcached-.*/bin/memcached pexe:/opt/zimbra/clamav-.*/sbin/clamd pexe:/opt/zimbra/openldap-.*/sbin/slapd pexe:/opt/zimbra/nginx-.*/sbin/nginx pexe:/opt/zimbra/postfix-.*/libexec/smtp pexe:/opt/zimbra/common/libexec/smtp.*
Use this command to compare stock and modified csf.conf
files:
diff --unchanged-line-format= --old-line-format= --new-line-format='%L' /root/csf/csf.conf /etc/csf/csf.conf | grep -v \#
TESTING = "0" RESTRICT_SYSLOG = "3" TCP_IN = "22,25,80,110,143,443,465,587,993,995,5222:5223,7071,8443" TCP_OUT = "22,25,53,80,110,113,143,443,465,587,993,995,7071" UDP_IN = "53,123" UDP_OUT = "53,113,123,33434:33523" IPV6 = "1" TCP6_IN = "22,25,80,110,143,443,465,587,993,995,2222,5222:5223,7071,8443" TCP6_OUT = "22,25,53,80,110,113,143,443,465,587,993,995,2222,7071" UDP6_IN = "53,123" UDP6_OUT = "53,113,123,33434:33523" USE_CONNTRACK = "1" SYSLOG_CHECK = "600" DENY_IP_LIMIT = "1000" DENY_TEMP_IP_LIMIT = "1000" LF_IPSET = "1" STYLE_CUSTOM = "1" SMTP_ALLOWUSER = "" SYNFLOOD = "1" CONNLIMIT = "80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5" PORTFLOOD = "80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5" DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520" CONNLIMIT_LOGGING = "1" LF_PERMBLOCK_COUNT = "2" LF_NETBLOCK = "1" SAFECHAINUPDATE = "1" DYNDNS = "600" LF_SELECT = "1" LF_EMAIL_ALERT = "0" LF_SSHD_PERM = "600" LF_FTPD_PERM = "600" LF_SMTPAUTH = "10" LF_SMTPAUTH_PERM = "600" LF_POP3D_PERM = "600" LF_IMAPD_PERM = "600" LF_HTACCESS_PERM = "600" LF_MODSEC_PERM = "600" LF_BIND = "100" LF_BIND_PERM = "600" LF_SUHOSIN = "5" LF_SUHOSIN_PERM = "600" LF_CXS = "1" LF_WEBMIN = "10" LF_WEBMIN_PERM = "600" LF_WEBMIN_EMAIL_ALERT = "0" LF_CONSOLE_EMAIL_ALERT = "0" LF_APACHE_404 = "100" LF_APACHE_403 = "100" LF_DISTATTACK = "1" LF_DISTFTP = "5" LF_DISTSMTP = "5" LT_POP3D = "65" LT_IMAPD = "100" LT_SKIPPERMBLOCK = "1" CT_LIMIT = "300" PT_USERMEM = "200" PT_USERRSS = "200" PT_APACHESTATUS = "http://127.0.0.1/server-status" MESSENGER_HTTPS_CONF = "/etc/httpd/conf.d/ssl.conf" MESSENGER_HTTPS_KEY = "/etc/pki/tls/private/localhost.key" MESSENGER_HTTPS_CRT = "/etc/pki/tls/certs/localhost.crt" ST_SYSTEM = "0" SENDMAIL = "/opt/zimbra/common/sbin/sendmail" HTACCESS_LOG = "/var/log/httpd/error_log" MODSEC_LOG = "/var/log/httpd/error_log" SMTPAUTH_LOG = "/var/log/secure" CUSTOM1_LOG = "/var/log/maillog" GENERIC = "1"