Bude-Source Edition na Zimbra Collaboration Suite yana da kayan aiki masu ƙarfi da yawa don tabbatar da tsaro na bayanai. Tsakanin su - mafita don kare sabar wasiku daga hare-hare daga botnets, ClamAV - riga-kafi wanda zai iya bincika fayilolin da ke shigowa da haruffa don kamuwa da cuta tare da shirye-shiryen ƙeta, kazalika - ɗayan mafi kyawun matatun spam a yau. Koyaya, waɗannan kayan aikin ba su iya kare Zimbra OSE daga hare-haren ƙarfi ba. Ba mafi m, amma har yanzu quite tasiri, m-tilasta kalmomin shiga ta amfani da musamman ƙamus ne fraught ba kawai tare da yuwuwar samun nasarar shiga ba tare da izini ba tare da duk sakamakon da ya biyo baya, amma kuma tare da ƙirƙirar wani gagarumin nauyi a kan uwar garke, wanda aiwatar da duk. yunƙurin da bai yi nasara ba na hacking uwar garken tare da Zimbra OSE.
A ka'ida, zaku iya kare kanku daga ɓacin rai ta amfani da daidaitattun kayan aikin Zimbra OSE. Saitunan tsare-tsaren tsare sirri na kalmar sirri suna ba ku damar saita adadin ƙoƙarin shigar da kalmar sirri da bai yi nasara ba, bayan haka an toshe asusun da ake iya kaiwa hari. Babban matsalar wannan hanya ita ce, yanayi ya taso inda za a iya toshe asusun daya ko fiye da ma’aikata saboda wani mummunan harin da aka kai musu wanda ba su da wani abin yi, kuma sakamakon raguwar ayyukan ma’aikata na iya haifar da asara mai yawa. kamfanin. Abin da ya sa yana da kyau kada a yi amfani da wannan zaɓi na kariya daga mummunan ƙarfi.
Don karewa daga ƙaƙƙarfan ƙarfi, kayan aiki na musamman da ake kira DoSFilter ya fi dacewa, wanda aka gina a cikin Zimbra OSE kuma zai iya ƙare haɗin kai zuwa Zimbra OSE ta HTTP. A wasu kalmomi, ka'idar aiki na DoSFilter yayi kama da ka'idar aiki na PostScreen, kawai ana amfani dashi don wata yarjejeniya ta daban. An tsara asali don iyakance adadin ayyukan da mai amfani ɗaya zai iya yi, DoSFilter kuma yana iya ba da kariya ta ƙarfi. Babban bambancinsa daga kayan aikin da aka gina a cikin Zimbra shine bayan wasu yunƙurin da ba su yi nasara ba, ba ya toshe mai amfani da kansa, amma adireshin IP wanda aka yi ƙoƙarin shiga cikin wani asusu. Godiya ga wannan, mai kula da tsarin ba zai iya kare kawai daga mummunan ƙarfi ba, har ma ya guje wa toshe ma'aikatan kamfanin ta hanyar ƙara cibiyar sadarwar cikin gida ta kamfaninsa zuwa jerin amintattun adiresoshin IP da kuma masu rahusa.
Babban fa'idar DoSFilter ita ce, baya ga yunƙurin shiga cikin wani asusu na musamman, ta amfani da wannan kayan aiki za ku iya toshe masu kai hari ta atomatik waɗanda suka mallaki bayanan tabbatar da ma'aikaci, sannan ya yi nasarar shiga cikin asusunsa kuma ya fara aika daruruwan buƙatun. zuwa uwar garken.
Kuna iya saita DoSFilter ta amfani da umarnin wasan bidiyo masu zuwa:
- zimbraHttpDosFilterMaxRequestsPerSec - Yin amfani da wannan umarni, zaku iya saita iyakar adadin haɗin da aka ba da izini ga mai amfani ɗaya. Ta tsohuwa wannan ƙimar ita ce haɗin kai 30.
- zimbraHttpDosFilterDelayMillis - Yin amfani da wannan umarni, zaku iya saita jinkiri a cikin millise seconds don haɗin da zai wuce iyaka da umarnin da ya gabata ya kayyade. Baya ga ƙimar lamba, mai gudanarwa na iya ƙayyade 0, don kada a sami jinkiri kwata-kwata, da -1, ta yadda duk haɗin da ya wuce ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun bayanai kawai ke katsewa. Ƙimar tsoho shine -1.
- zimbraHttpThrottleSafeIPs - Yin amfani da wannan umarni, mai gudanarwa na iya ƙididdige amintattun adiresoshin IP da ƙananan ramuka waɗanda ba za su kasance ƙarƙashin ƙuntatawa da aka jera a sama ba. Lura cewa jigon wannan umarni na iya bambanta dangane da sakamakon da ake so. Don haka, alal misali, ta shigar da umarni zmprov mcf zimbraHttpThrottleSafeIPs 127.0.0.1, za ku sake rubutawa gaba ɗaya jerin kuma ku bar adireshin IP ɗaya kawai a ciki. Idan kun shigar da umarnin zmprov mcf +zimbraHttpThrottleSafeIPs 127.0.0.1, adireshin IP ɗin da kuka shigar za a ƙara shi zuwa jerin fari. Hakazalika, ta amfani da alamar ragi, zaku iya cire kowane IP daga lissafin da aka yarda.
Lura cewa DoSFilter na iya ƙirƙirar matsaloli masu yawa lokacin amfani da kari na Zextras Suite Pro. Don guje wa su, muna ba da shawarar ƙara yawan haɗin haɗin gwiwa daga 30 zuwa 100 ta amfani da umarnin. zmprov mcf zimbraHttpDosFilterMaxRequestsPerSec 100. Bugu da kari, muna ba da shawarar ƙara cibiyar sadarwa ta cikin gida cikin jerin waɗanda aka ba da izini. Ana iya yin wannan ta amfani da umarnin zmprov mcf +zimbraHttpThrottleSafeIPs 192.168.0.0/24. Bayan yin kowane canje-canje zuwa DoSFilter, tabbatar da sake kunna sabar saƙon ku ta amfani da umarnin zmmailboxdctl sake kunnawa.
Babban hasara na DoSFilter shine cewa yana aiki a matakin aikace-aikacen sabili da haka yana iya iyakance ikon maharan don aiwatar da ayyuka daban-daban akan sabar, ba tare da iyakance ikon haɗi zuwa arewa ba. Saboda haka, buƙatun da aka aika zuwa uwar garken don tantancewa ko aika wasiƙu, ko da yake ba za su yi nasara a fili ba, har yanzu suna wakiltar kyakkyawan harin DoS, wanda ba za a iya dakatar da shi a irin wannan matakin ba.
Domin kiyaye uwar garken kamfani gaba ɗaya tare da Zimbra OSE, zaku iya amfani da mafita kamar Fail2ban, wanda shine tsarin da zai iya sa ido akan tsarin bayanai akai-akai don maimaita ayyuka da toshe mai kutse ta hanyar canza saitunan Tacewar zaɓi. Toshewa a irin wannan ƙananan matakin yana ba ku damar kashe maharan daidai a matakin haɗin IP zuwa uwar garken. Don haka, Fail2Ban na iya cika kariyar da aka gina ta amfani da DoSFilter. Bari mu gano yadda za ku iya haɗa Fail2Ban tare da Zimbra OSE kuma ta haka ne za ku ƙara tsaro na kayan aikin IT na kamfanin ku.
Kamar kowane aikace-aikacen aji na kamfani, Zimbra Collaboration Suite Bude-Source Edition yana adana cikakkun bayanan aikin sa. Yawancin su ana adana su a cikin babban fayil /opt/zimbra/log/ a cikin hanyar fayiloli. Ga kadan daga cikinsu:
- mailbox.log - Jetty mail rajistan ayyukan
- audit.log - rajistan ayyukan tantancewa
- clamd.log - rajistan ayyukan riga-kafi
- freshclam.log - rajistan ayyukan sabunta riga-kafi
- convertd.log - haɗe-haɗe rajistan ayyukan
- zimbrastats.csv - rajistan ayyukan uwar garken
Hakanan ana iya samun rajistan ayyukan Zimbra a cikin fayil ɗin /var/log/zimbra.log, inda ake ajiye rajistan ayyukan Postfix da Zimbra kanta.
Domin kare tsarin mu daga mummunan karfi, za mu sa ido akwatin gidan waya.log, duba.log и zimbra.log.
Domin komai yayi aiki, ya zama dole a shigar da Fail2Ban da iptables akan sabar ku tare da Zimbra OSE. Idan kuna amfani da Ubuntu, zaku iya yin wannan ta amfani da umarni dpkg -s kasa2ban, idan kuna amfani da CentOS, zaku iya duba wannan ta amfani da umarni yum list shigar fail2ban. Idan ba ku shigar da Fail2Ban ba, to shigar da shi ba zai zama matsala ba, tunda wannan fakitin yana samuwa a kusan dukkanin ma'ajin ajiya.
Da zarar an shigar da duk mahimman software, zaku iya fara saita Fail2Ban. Don yin wannan kuna buƙatar ƙirƙirar fayil ɗin sanyi /etc/fail2ban/filter.d/zimbra.conf, wanda a ciki za mu rubuta maganganu na yau da kullun don rajistan ayyukan Zimbra OSE waɗanda zasu dace da yunƙurin shiga da ba daidai ba da kuma jawo hanyoyin Fail2Ban. Anan akwai misalin abubuwan da ke cikin zimbra.conf tare da saitin maganganu na yau da kullun masu dacewa da kurakurai daban-daban waɗanda Zimbra OSE ke jefawa lokacin da ƙoƙarin tabbatarwa ya gaza:
# Fail2Ban configuration file
[Definition]
failregex = [ip=<HOST>;] account - authentication failed for .* (no such account)$
[ip=<HOST>;] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=imap; error=authentication failed for .* invalid password;$
[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
ignoreregex =Da zarar an haɗa maganganun yau da kullun na Zimbra OSE, lokaci yayi da za a fara gyara tsarin Fail2ban kanta. Saitunan wannan kayan aiki suna cikin fayil ɗin /etc/fail2ban/jail.conf. Kawai idan, bari mu yi kwafin ta ta amfani da umarnin cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak. Bayan haka, za mu rage wannan fayil ɗin zuwa kusan nau'i mai zuwa:
# Fail2Ban configuration file
[DEFAULT]
ignoreip = 192.168.0.1/24
bantime = 600
findtime = 600
maxretry = 5
backend = auto
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected]]
logpath = /var/log/messages
maxretry = 5
[sasl-iptables]
enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected]]
logpath = /var/log/zimbra.log
[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=support@ company.ru]
ignoreregex = for myuser from
logpath = /var/log/messages
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, [email protected] ]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, [email protected]]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, [email protected]]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, [email protected]]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5Ko da yake wannan misalin ya kasance cikakke, har yanzu yana da daraja bayyana wasu sigogin da za ku so ku canza yayin kafa Fail2Ban da kanku:
- Yi watsi da shi - ta amfani da wannan siga za ku iya ƙayyade takamaiman ip ko subnet wanda Fail2Ban bai kamata ya duba adireshi ba. A matsayinka na mai mulki, cibiyar sadarwar cikin gida na kamfani da sauran adiresoshin da aka amince da su an ƙara su cikin jerin waɗanda aka yi watsi da su.
- Bantime - Lokacin da za a dakatar da mai laifin. Ana auna cikin daƙiƙa. Ƙimar -1 tana nufin haramcin dindindin.
- Maxretry - Matsakaicin adadin sau ɗaya adireshin IP na iya ƙoƙarin shiga uwar garken.
- Aika Wasiku - Saitin da ke ba ku damar aika sanarwar imel ta atomatik lokacin da aka kunna Fail2Ban.
- Lokacin nema - Saitin da ke ba ku damar saita tazarar lokaci bayan haka adireshin IP na iya ƙoƙarin sake samun damar shiga uwar garken bayan an ƙare iyakar adadin ƙoƙarin da ba a yi nasara ba (maxretry parameter)
Bayan adana fayil ɗin tare da saitunan Fail2Ban, abin da ya rage shine sake kunna wannan kayan aiki ta amfani da umarnin. service fail2ban sake farawa. Bayan sake kunnawa, babban rajistan ayyukan Zimbra za a fara sa ido akai-akai don biyan bukatun yau da kullun. Godiya ga wannan, mai gudanarwa zai iya kusan kawar da duk wata yuwuwar maharin shiga ba kawai akwatin saƙon Zimbra Collaboration Suite Buɗe-Source Edition ba, har ma ya kare duk ayyukan da ke gudana a cikin Zimbra OSE, da kuma lura da duk wani ƙoƙarin samun shiga mara izini. .
Don duk tambayoyin da suka shafi Zextras Suite, zaku iya tuntuɓar Wakilin Zextras Ekaterina Triandafilidi ta imel [email kariya]
source: www.habr.com