Zimbra’s DoSFilter (Denial of Service Filter) is a mechanism to throttle or block IP addresses that have a repeated number of failed logins to your Zimbra system.  Zimbra’s Classes of Service include a Failed Login Lockout policy that will put a mailbox in Locked Out mode, hopefully before a brute force attack is successful.  The two together can improve system security and protect legitimate users, but only if configured appropriately.

DoSFilter is generally easier to configure than fail2ban in multiserver systems, because in a multi-server system the logger host is usually one of the mailbox servers, but you want to do the fail2ban blocking on the MTA and Proxy servers.  Making all that work is complex, and if you are running Network Edition, Zimbra Support can help you troubleshoot DoSFilter; with fail2ban you are on your own.  On single server Zimbra systems, fail2ban works fine, but you’ll need to source up to date Zimbra “jail” configuration files, so yet another reason to favor DoSFilter over fail2ban.

Challenge:
Since the DoSFilter configurations are made via the commandline only, but the Failed Login Lockout Policy can be configured via the Admin Console, often what I encounter is well-intentioned system administrators who inadvertently cause their users mailboxes to be locked out by the near continuous brute force attacks we all experience.

Solution:
The trick is to make DoSFilter your first line of defense:  Have DoSFilter block or throttle IP addresses before the Failed Login Lockout Policy kicks in.

In this way, your legitimate users won’t get locked out on account of a brute force attack from someplace else.

Steps To Implement:
Let’s first configure DoSFilter to throttle, for 30 minutes, bad actors who have produced more than 10 failed logins; as well as bad actors who try to overwhelm our server with more than 100 requests per second.  As the zimbra user, just run:

zmprov mcf zimbraHttpDosFilterDelayMillis 20
zmprov mcf zimbraHttpDosFilterMaxRequestsPerSec 100
zmprov mcf zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating 30
zmprov mcf zimbraInvalidLoginFilterMaxFailedLogin 10
zmprov mcf zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin 5

The above will take care of throttling individual misbehaving IP addresses, but now we want to lock out a mailbox for an hour, if there are more than 15 failed login attempts (from anywhere) within a one hour period.  For every Class of Service on your system, in the Admin Console navigate to Home > Configure > Class of Service > (each class of service) > Advanced > Failed Login Policy and set the parameters thus:

If you are in a large organization, and you have branch offices with large numbers of users who repeatedly keep trying bad passwords, there’s a chance that DoSFilter could wind up throttling the entire branch.  In that case, you’ll want to “white list” those branch IP addresses (typically the WAN IP of the branch office router) from DoSFilter.  This is also done from the commandline only. If your branch office WAN IP is 35.171.80.173 and you are running Zimbra 8.8, you would run as the zimbra user:

zmprov mcf +zimbraHttpThrottleSafeIPs 35.171.80.173/32

These three steps, enabling DoSFilter, setting a Failed Login Policy at a higher threshold, and whitelisting your branch office WAN IPs, will go a long way to blocking bad actors while still keeping Zimbra available to legitimate users.

If you’d like help reviewing and improving your Zimbra security posture, get in touch with us by filling out the form below!