Hi Jim,
I like how you are thinking (if I am understanding it correctly) but I'm wondering if trying to do this in Zimbra's nginx is optimal?
The Zimbra wiki Fail2ban filters parsing mailbox.log and zimbra.log are generally looking just for repeated login failures. In our case, I have added additional filter regexes, like when I see bad actors impersonating From: addresses of gmail.com users, but sending from a non-Gmail mail server. None of these emails have ever gotten through, but if I can ban the bad actors' IPs, it lightens the load on Zimbra and makes it just a little harder for bad actors to approach...
Anyway, I've always thought of modsecurity3 as essentially a WAF. Commercial WAFs with which I'm familiar have rule sets updated very frequently by the vendor much like DNSBLs update their database entries.
I also have in my mind that some of the now-plugged Zimbra exploits, like the mailbox import thing, have legitimate uses, so can't be blocked outright. Further, in our case with customers traveling and domiciled all over the globe, GEOIP blocking isn't really an option, and doesn't buy us anything anyways since most bad behavior we see in the logs comes from countries with governments friendly to (or at least tolerant of) the United States anyway.
I guess I'm asking if your ultimate goal is to build a kind of extensible Zimbra-specifc WAF? And if so, would it be better if it sat it front of Zimbra, like a Layer 7 load balancer with WAF-like functionality? It could then have remote-update capability, as you and/or the community spot different flavors of attacks.
As re things like LUA, no one I have seen has been able to come up with bulletproof Apparmor/SELinux configurations that would allow us to keep them on reliably with Zimbra; one customer last year tried to install Zimbra on a CIS-compliant version of Ubuntu and had to make a number of adjustments to get it to work. Knowing that the file system changed I could see could be helpful, but it also might be too late, like if the LUA alert is sent by email but the Active mailq is already in the tens of thousands...
Apologies if I've totally misunderstood the direction in which you are trying to head!
I absolutely believe you have identified an area needing attention to be clear.
All the best,
Mark
I like how you are thinking (if I am understanding it correctly) but I'm wondering if trying to do this in Zimbra's nginx is optimal?
The Zimbra wiki Fail2ban filters parsing mailbox.log and zimbra.log are generally looking just for repeated login failures. In our case, I have added additional filter regexes, like when I see bad actors impersonating From: addresses of gmail.com users, but sending from a non-Gmail mail server. None of these emails have ever gotten through, but if I can ban the bad actors' IPs, it lightens the load on Zimbra and makes it just a little harder for bad actors to approach...
Anyway, I've always thought of modsecurity3 as essentially a WAF. Commercial WAFs with which I'm familiar have rule sets updated very frequently by the vendor much like DNSBLs update their database entries.
I also have in my mind that some of the now-plugged Zimbra exploits, like the mailbox import thing, have legitimate uses, so can't be blocked outright. Further, in our case with customers traveling and domiciled all over the globe, GEOIP blocking isn't really an option, and doesn't buy us anything anyways since most bad behavior we see in the logs comes from countries with governments friendly to (or at least tolerant of) the United States anyway.
I guess I'm asking if your ultimate goal is to build a kind of extensible Zimbra-specifc WAF? And if so, would it be better if it sat it front of Zimbra, like a Layer 7 load balancer with WAF-like functionality? It could then have remote-update capability, as you and/or the community spot different flavors of attacks.
As re things like LUA, no one I have seen has been able to come up with bulletproof Apparmor/SELinux configurations that would allow us to keep them on reliably with Zimbra; one customer last year tried to install Zimbra on a CIS-compliant version of Ubuntu and had to make a number of adjustments to get it to work. Knowing that the file system changed I could see could be helpful, but it also might be too late, like if the LUA alert is sent by email but the Active mailq is already in the tens of thousands...
Apologies if I've totally misunderstood the direction in which you are trying to head!
I absolutely believe you have identified an area needing attention to be clear.
All the best,
Mark
Statistics: Posted by L. Mark Stone — Mon May 01, 2023 2:54 pm