Loaʻa iā Zimbra Collaboration Suite Open-Source Edition kekahi mau mea hana ikaika e hōʻoia i ka palekana ʻike. Iwaena o lakou - he hopena no ka pale ʻana i kahi kikowaena leka uila mai nā hoʻouka ʻana mai nā botnets, ClamAV - he antivirus hiki ke nānā i nā faila a me nā leka e hiki mai ana no ka maʻi me nā polokalamu ʻino, a me - kekahi o nā kānana spam maikaʻi loa i kēia lā. Eia naʻe, ʻaʻole hiki i kēia mau mea hana ke pale aku iā Zimbra OSE mai ka hoʻouka kaua ikaika. ʻAʻole i ka nani loa, akā naʻe, ʻoi aku ka maikaʻi, nā ʻōlelo huna e hoʻohana ana i kahi puke wehewehe ʻōlelo kūikawā ʻaʻole wale me ka likelike o ka hacking kūleʻa me nā hopena e hiki mai ana, akā pū kekahi me ka hoʻokumu ʻana i kahi ukana koʻikoʻi ma ke kikowaena, ka mea e hana i nā mea āpau. ho'āʻo ʻole e hack i kahi kikowaena me Zimbra OSE.
Ma ke kumu, hiki iā ʻoe ke pale iā ʻoe iho mai ka hoʻohana ʻana i nā mea hana Zimbra OSE maʻamau. ʻO nā hoʻonohonoho kulekele palekana ʻōlelo huna e ʻae iā ʻoe e hoʻonohonoho i ka helu o nā hoʻāʻo ʻana i ka ʻōlelo huna ʻaʻole i kūleʻa, a ma hope o ka pale ʻia ʻana o ka moʻokāki hiki ke hoʻouka ʻia. ʻO ka pilikia nui o kēia ʻano, ʻo ia ke ala ʻana o nā kūlana i hiki ke hoʻopaʻa ʻia nā moʻolelo o hoʻokahi a ʻoi aku paha o nā limahana ma muli o ka hoʻouka kaua ikaika ʻole a lākou e hana ʻole ai, a ʻo ka hopena o ka downtime o ka hana a nā limahana hiki ke lawe mai i nā poho nui. ka hui. ʻO ia ke kumu ʻoi aku ka maikaʻi o ka hoʻohana ʻole ʻana i kēia koho o ka pale ʻana i ka hana ʻino.
No ka pale ʻana i ka ikaika ʻino, ʻoi aku ka maikaʻi o kahi mea hana kūikawā i kapa ʻia ʻo DoSFilter, i kūkulu ʻia i loko o Zimbra OSE a hiki ke hoʻopau koke i ka pilina iā Zimbra OSE ma o HTTP. I nā huaʻōlelo ʻē aʻe, ua like ke ʻano hana o DoSFilter me ka loina hana o PostScreen, hoʻohana wale ia no kahi protocol ʻokoʻa. Hoʻolālā mua ʻia e kaupalena i ka helu o nā hana i hiki i ka mea hoʻohana hoʻokahi ke hana, hiki nō hoʻi iā DoSFilter ke hāʻawi i ka pale ikaika. ʻO kāna ʻokoʻa koʻikoʻi mai ka mea hana i kūkulu ʻia i loko o Zimbra ʻo ia ma hope o kekahi helu o nā hoʻāʻo kūleʻa ʻole, ʻaʻole ia e ālai i ka mea hoʻohana iā ia iho, akā ʻo ka IP address kahi i hoʻāʻo ʻia e komo i loko o kahi moʻokāki. Mahalo i kēia, ʻaʻole hiki i kahi luna ʻōnaehana ke pale wale aku i ka ikaika ʻino, akā pale pū kekahi i ka pale ʻana i nā limahana ʻoihana ma ka hoʻohui wale ʻana i ka pūnaewele kūloko o kāna ʻoihana i ka papa inoa o nā helu IP hilinaʻi a me nā subnets.
ʻO ka pōmaikaʻi nui o DoSFilter ʻo ia ka hoʻohui ʻana i nā hoʻāʻo he nui e komo i loko o kahi moʻokāki, me ka hoʻohana ʻana i kēia hāmeʻa hiki iā ʻoe ke hoʻopaʻa maʻalahi i kēlā mau mea hoʻouka i lawe i ka ʻikepili hōʻoia o kahi limahana, a laila komo maikaʻi i kāna moʻokāki a hoʻomaka e hoʻouna i nā haneli o nā noi. i ke kikowaena.
Hiki iā ʻoe ke hoʻonohonoho iā DoSFilter me ka hoʻohana ʻana i nā kauoha console:
- zimbraHttpDosFilterMaxRequestsPerSec - Ke hoʻohana nei i kēia kauoha, hiki iā ʻoe ke hoʻonohonoho i ka helu kiʻekiʻe o nā pili i ʻae ʻia no hoʻokahi mea hoʻohana. ʻO ka mea paʻamau, ʻo 30 kēia waiwai.
- zimbraHttpDosFilterDelayMillis - Ke hoʻohana nei i kēia kauoha, hiki iā ʻoe ke hoʻonohonoho i kahi lohi i nā milliseconds no nā pilina e ʻoi aku ma mua o ka palena i kuhikuhi ʻia e ke kauoha mua. Ma waho aʻe o nā helu helu helu, hiki i ka luna hoʻomalu ke kuhikuhi i ka 0, no laila ʻaʻohe lohi, a me -1, i mea e hoʻopau wale ʻia ai nā pilina a pau ma mua o ka palena i ʻōlelo ʻia. ʻO ka waiwai paʻamau -1.
- zimbraHttpThrottleSafeIPs — Me ka hoʻohana ʻana i kēia kauoha, hiki i ka luna hoʻomalu ke kuhikuhi i nā helu IP hilinaʻi a me nā subnets ʻaʻole e kau ʻia i nā palena i helu ʻia ma luna. E hoʻomaopopo he ʻokoʻa paha ka syntax o kēia kauoha ma muli o ka hopena i makemake ʻia. No laila, no ka laʻana, ma ke komo ʻana i ke kauoha zmprov mcf zimbraHttpThrottleSafeIPs 127.0.0.1, e hoʻopau loa ʻoe i ka papa inoa holoʻokoʻa a waiho i hoʻokahi helu IP i loko. Inā ʻoe e hoʻokomo i ke kauoha zmprov mcf +zimbraHttpThrottleSafeIPs 127.0.0.1, e hoʻohui ʻia ka helu IP āu i hoʻokomo ai i ka papa inoa keʻokeʻo. Pēlā nō, me ka hoʻohana ʻana i ka hōʻailona unuhi, hiki iā ʻoe ke wehe i kekahi IP mai ka papa inoa i ʻae ʻia.
E ʻoluʻolu, hiki iā DoSFilter ke hana i kekahi mau pilikia i ka wā e hoʻohana ai i nā hoʻonui Zextras Suite Pro. I mea e pale aku ai iā lākou, manaʻo mākou e hoʻonui i ka helu o nā pilina like ʻole mai 30 a 100 me ka hoʻohana ʻana i ke kauoha. zmprov mcf zimbraHttpDosFilterMaxRequestsPerSec 100. Eia kekahi, manaʻo mākou e hoʻohui i ka pūnaewele kūloko o ka ʻoihana i ka papa inoa o nā mea i ʻae ʻia. Hiki ke hana i kēia me ke kauoha zmprov mcf +zimbraHttpThrottleSafeIPs 192.168.0.0/24. Ma hope o ka hoʻololi ʻana iā DoSFilter, e hoʻomaka hou i kāu kikowaena leka uila me ke kauoha zmmailboxdctl hoʻomaka hou.
ʻO ka hemahema nui o DoSFilter ʻo ia ka hana ma ka pae noi a no laila hiki ke kaupalena wale i ka hiki o nā mea hoʻouka ke hana i nā hana like ʻole ma ke kikowaena, me ka ʻole o ka palena ʻana i ka hiki ke hoʻopili i ka ʻākau. Ma muli o kēia, ʻo nā noi i hoʻouna ʻia i ke kikowaena no ka hōʻoia ʻana a i ʻole ka hoʻouna ʻana i nā leka, ʻoiai ʻaʻole lākou e hāʻule, e hōʻike mau ana i kahi hoʻouka kaua DoS kahiko maikaʻi, ʻaʻole hiki ke pani ʻia i kahi kiʻekiʻe kiʻekiʻe.
I mea e hoʻopaʻa pono ai i kāu kikowaena hui me Zimbra OSE, hiki iā ʻoe ke hoʻohana i kahi hoʻonā e like me Fail2ban, ʻo ia kahi hoʻolālā e hiki ke nānā mau i nā log ʻōnaehana ʻike no nā hana hou a hoʻopaʻa i ka mea komo ma ka hoʻololi ʻana i nā hoʻonohonoho firewall. ʻO ka pale ʻana i kēlā ʻano haʻahaʻa haʻahaʻa e hiki ai iā ʻoe ke hoʻopau i nā mea hoʻouka ʻia ma ke kahua o ka pilina IP i ke kikowaena. No laila, hiki iā Fail2Ban ke hoʻokō pono i ka pale i kūkulu ʻia me DoSFilter. E ʻike kākou pehea e hiki ai iā ʻoe ke hoʻopili iā Fail2Ban me Zimbra OSE a ma laila e hoʻonui ai i ka palekana o kāu ʻoihana IT.
E like me nā noi ʻoihana ʻoihana ʻē aʻe, mālama ʻo Zimbra Collaboration Suite Open-Source Edition i nā kikoʻī kikoʻī o kāna hana. Mālama ʻia ka hapa nui o lākou i loko o ka waihona /opt/zimbra/log/ ma ke ano o na waihona. Eia kekahi mau mea o lākou:
- mailbox.log — Nā moʻolelo lawelawe leka uila Jetty
- audit.log - nā moʻolelo hōʻoia
- clamd.log — nā papa hana antivirus
- freshclam.log - nā lāʻau hōʻano antivirus
- convertd.log — nā lāʻau hoʻololi hoʻopili
- zimbrastats.csv - nā moʻolelo hoʻokō kikowaena
Hiki ke loaʻa nā lāʻau Zimbra ma ka faila /var/log/zimbra.log, kahi i mālama ʻia ai nā lāʻau o Postfix a me Zimbra ponoʻī.
No ka pale ʻana i kā mākou ʻōnaehana mai ka ikaika ʻino, e nānā mākou pahu leka.log, audit.log и zimbra.log.
I mea e hana ai nā mea a pau, pono e hoʻokomo ʻia ʻo Fail2Ban a me nā iptables ma kāu kikowaena me Zimbra OSE. Inā ʻoe e hoʻohana ana iā Ubuntu, hiki iā ʻoe ke hana i kēia me ka hoʻohana ʻana i nā kauoha dpkg -s fail2ban, inā hoʻohana ʻoe i CentOS, hiki iā ʻoe ke nānā i kēia me ka hoʻohana ʻana i nā kauoha Ua hoʻokomo ʻia ka papa inoa yum fail2ban. Inā ʻaʻole i hoʻokomo ʻia ʻo Fail2Ban, a laila ʻaʻole pilikia ke kau ʻana, no ka mea, loaʻa kēia puʻupuʻu ma kahi kokoke i nā hale waihona maʻamau.
Ke hoʻokomo ʻia nā polokalamu pono a pau, hiki iā ʻoe ke hoʻomaka e hoʻonohonoho iā Fail2Ban. No ka hana ʻana i kēia, pono ʻoe e hana i kahi faila hoʻonohonoho /etc/fail2ban/filter.d/zimbra.conf, kahi e kākau ai mākou i nā ʻōlelo maʻamau no nā lāʻau Zimbra OSE e hoʻohālikelike i nā hoʻāʻo komo hewa a hoʻomaka i nā hana Fail2Ban. Eia kekahi laʻana o nā mea i loko o zimbra.conf me kahi pūʻulu o nā ʻōlelo maʻamau e pili ana i nā hewa like ʻole a Zimbra OSE e hoʻolei i ka wā i hāʻule ʻole ai kahi hoʻāʻo hōʻoia:
# Fail2Ban configuration file
[Definition]
failregex = [ip=<HOST>;] account - authentication failed for .* (no such account)$
[ip=<HOST>;] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=imap; error=authentication failed for .* invalid password;$
[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
ignoreregex =Ke hoʻohui ʻia nā ʻōlelo maʻamau no Zimbra OSE, ʻo ia ka manawa e hoʻomaka ai e hoʻoponopono i ka hoʻonohonoho o Fail2ban ponoʻī. Aia nā hoʻonohonoho o kēia pono i ka faila /etc/fail2ban/jail.conf. No ka hihia, e hana kāua i kope kope o ia mea me ke kauoha cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak. Ma hope o kēlā, e hōʻemi mākou i kēia faila ma kahi o kēia ʻano:
# Fail2Ban configuration file
[DEFAULT]
ignoreip = 192.168.0.1/24
bantime = 600
findtime = 600
maxretry = 5
backend = auto
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected]]
logpath = /var/log/messages
maxretry = 5
[sasl-iptables]
enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected]]
logpath = /var/log/zimbra.log
[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=support@ company.ru]
ignoreregex = for myuser from
logpath = /var/log/messages
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, [email protected] ]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, [email protected]]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, [email protected]]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, [email protected]]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5ʻOiai he mea maʻamau kēia hiʻohiʻona, pono e wehewehe i kekahi o nā ʻāpana āu e makemake ai e hoʻololi i ka hoʻonohonoho ʻana iā Fail2Ban iā ʻoe iho:
- Ignoreip - me ka hoʻohana ʻana i kēia ʻāpana hiki iā ʻoe ke kuhikuhi i kahi ip a i ʻole subnet kahi e nānā ʻole ai ʻo Fail2Ban i nā helu wahi. Ma ke ʻano he lula, ua hoʻohui ʻia ka pūnaewele kūloko o ka ʻoihana a me nā ʻōlelo hilinaʻi ʻē aʻe i ka papa inoa o nā mea i mālama ʻole ʻia.
- Bantime — ʻO ka manawa e pāpā ʻia ai ka mea lawehala. Ana i kekona. ʻO ka waiwai o -1 ʻo ia hoʻi ka pāpā mau.
- Maxretry — ʻO ka helu kiʻekiʻe o nā manawa hoʻokahi IP IP e hoʻāʻo e komo i ka kikowaena.
- Leka uila - He hoʻonohonoho e hiki ai iā ʻoe ke hoʻouna maʻalahi i nā leka leka uila ke hoʻomaka ʻia ʻo Fail2Ban.
- Loaʻa manawa - ʻO kahi hoʻonohonoho e hiki ai iā ʻoe ke hoʻonohonoho i ka manawa manawa a hiki i ka IP address ke hoʻāʻo e komo hou i ke kikowaena ma hope o ka pau ʻana o ka helu kiʻekiʻe o nā hoʻāʻo kūleʻa (maxretry parameter)
Ma hope o ka mālama ʻana i ka faila me nā hoʻonohonoho Fail2Ban, ʻo nā mea a pau i koe e hoʻomaka hou i kēia pono me ke kauoha hoʻomaka hou ka lawelawe fail2ban. Ma hope o ka hoʻomaka hou ʻana, e hoʻomaka ka nānā mau ʻana i nā log Zimbra nui no ka hoʻokō ʻana i nā ʻōlelo maʻamau. Mahalo i kēia, hiki i ka luna hoʻomalu ke hoʻopau loa i ka hiki o ka mea hoʻouka kaua ke komo wale i nā pahu leta Zimbra Collaboration Suite Open-Source Edition, akā pale pū kekahi i nā lawelawe āpau e holo ana i loko o Zimbra OSE, a e makaʻala hoʻi i nā hoʻāʻo e loaʻa i ka ʻae ʻole. .
No nā nīnau a pau e pili ana iā Zextras Suite, hiki iā ʻoe ke kelepona iā Zextras Representative Ekaterina Triandafilidi ma ka leka uila. [pale ʻia ka leka uila]
Source: www.habr.com