fail2ban sur Ubuntu 18.04

sudo apt-get install fail2ban

ensuite on crée un fichier /etc/fail2ban/jail.local

et on active certaines prisons déjà présentes :

[apache-badbots]
enabled = true
[apache-auth]
enabled = true
[apache-noscript]
enabled = true
[apache-botsearch]
enabled = true
[sshd]
enabled = false

sudo fail2ban-client status

sur ZIMBRA on crée un filtre spécial :

/etc/fail2ban/filter.d/zimbra-submission.conf

[Definition]
#
failregex = postfix\/submission\/smtpd[\d+]: warning: .[<HOST>]: SASL \w+ authentication failed: authentication failure$
postfix\/smtps\/smtpd[\d+]: warning: .[<HOST>]: SASL \w+ authentication failed: authentication failure$

ignoreregex =

et un autre zimbra.conf
[Definition]
failregex = [ip=<HOST>;] account - authentication failed for . (no such account)$
[ip=<HOST>;] security - cmd=Auth; . error=authentication failed for ., invalid password;$
;oip=<HOST>;. security - cmd=Auth; . protocol=soap; error=authentication failed for . invalid password;$
[oip=<HOST>;. SoapEngine - handler exception: authentication failed for ., account not found$
WARN .;ip=<HOST>;ua=ZimbraWebClient . security - cmd=AdminAuth; . error=authentication failed for .;$
NOQUEUE: reject: RCPT from .[<HOST>]: 550 5.1.1 .: Recipient address rejected:

ensuite dans jail.conf

[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, dest=loic@lobass.fr]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=loic@lobass.fr]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5

[zimbra-recipient]
enabled = true
filter = zimbra-submission
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=loic@lobass.fr]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5

jail for postfix since postfix performs Zimbra mail transfer

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=loic@lobass.fr]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5

J'ai modifié le fichier /etc/fail2ban/action.d/sendmail.conf

actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>

Et cela fonctionne :

fail2ban-client status zimbra-recipient
Status for the jail: zimbra-recipient
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| - File list: /var/log/zimbra.log - Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 212.70.149.69