Zimbra Collaboration Suite ãªãŒãã³ãœãŒã¹ ãšãã£ã·ã§ã³ã«ã¯ãæ
å ±ã»ãã¥ãªãã£ã確ä¿ããããã®åŒ·åãªããŒã«ãããã€ãå«ãŸããŠããŸãããã®äžã§
ååãšããŠãæšæºã® Zimbra OSE ããŒã«ã䜿çšããŠãã«ãŒã ãã©ãŒã¹ãã身ãå®ãããšãã§ããŸãããã¹ã¯ãŒã ã»ãã¥ãªã㣠ããªã·ãŒèšå®ã§ã¯ããã¹ã¯ãŒãå
¥åã®å€±æåæ°ãèšå®ã§ããŸãããã®åæ°ãè¶
ãããšãæ»æãããå¯èœæ§ã®ããã¢ã«ãŠã³ãããããã¯ãããŸãããã®ã¢ãããŒãã®äž»ãªåé¡ã¯ãXNUMX 人ãŸãã¯è€æ°ã®åŸæ¥å¡ãç¡é¢ä¿ãªãã«ãŒã ãã©ãŒã¹æ»æã«ããã¢ã«ãŠã³ãããããã¯ãããå¯èœæ§ãããç¶æ³ãçºçãããã®çµæçããåŸæ¥å¡ã®æ¥åã®ããŠã³ã¿ã€ã ã倧ããªæ倱ãããããå¯èœæ§ãããããšã§ããäŒç€Ÿããã®ããããã«ãŒã ãã©ãŒã¹ã«å¯Ÿããä¿è·ã®ãã®ãªãã·ã§ã³ã¯äœ¿çšããªãããšãæåã§ãã
ãã«ãŒããã©ãŒã¹ããä¿è·ããã«ã¯ãZimbra OSE ã«çµã¿èŸŒãŸããŠãããHTTP çµç±ã§ Zimbra OSE ãžã®æ¥ç¶ãèªåçã«çµäºã§ãã DoSFilter ãšåŒã°ããç¹å¥ãªããŒã«ã®æ¹ãé©ããŠããŸããèšãæããã°ãDoSFilter ã®åäœåç㯠PostScreen ã®åäœåçãšäŒŒãŠããŸãããç°ãªããããã³ã«ã§äœ¿çšãããã ãã§ãã DoSFilter ã¯å
ã
ãXNUMX 人ã®ãŠãŒã¶ãŒãå®è¡ã§ããã¢ã¯ã·ã§ã³ã®æ°ãå¶éããããã«èšèšãããŠããŸãããããã«ãŒã ãã©ãŒã¹ä¿è·ãæäŸã§ããŸãã Zimbra ã«çµã¿èŸŒãŸããŠããããŒã«ãšã®äž»ãªéãã¯ãäžå®åæ°ã®è©Šè¡ã倱æãããšããŠãŒã¶ãŒèªèº«ããããã¯ããã®ã§ã¯ãªããç¹å®ã®ã¢ã«ãŠã³ããžã®ãã°ã€ã³ãè€æ°åè©Šè¡ãã IP ã¢ãã¬ã¹ããããã¯ããããšã§ãããã®ãããã§ãã·ã¹ãã 管çè
ã¯ãã«ãŒã ãã©ãŒã¹ããä¿è·ã§ããã ãã§ãªããäŒç€Ÿã®å
éšãããã¯ãŒã¯ãä¿¡é Œã§ãã IP ã¢ãã¬ã¹ãšãµããããã®ãªã¹ãã«è¿œå ããã ãã§ãåŸæ¥å¡ã®ãããã¯ãåé¿ããããšãã§ããŸãã
DoSFilter ã®å€§ããªå©ç¹ã¯ãç¹å®ã®ã¢ã«ãŠã³ããžã®ãã°ã€ã³ãäœåºŠãè©Šè¡ããããšã«å ããŠããã®ããŒã«ã䜿çšãããšãåŸæ¥å¡ã®èªèšŒããŒã¿ãååŸãããã®ã¢ã«ãŠã³ããžã®ãã°ã€ã³ã«æåããŠæ°çŸã®ãªã¯ãšã¹ãã®éä¿¡ãéå§ããæ»æè ãèªåçã«ãããã¯ã§ããããšã§ãããµãŒããŒã«ã
次ã®ã³ã³ãœãŒã« ã³ãã³ãã䜿çšã㊠DoSFilter ãèšå®ã§ããŸãã
- zimbraHttpDosFilterMaxRequestsPerSec â ãã®ã³ãã³ãã䜿çšãããšã30 人ã®ãŠãŒã¶ãŒã«èš±å¯ãããæ倧æ¥ç¶æ°ãèšå®ã§ããŸããããã©ã«ãã§ã¯ããã®å€ã¯ XNUMX æ¥ç¶ã§ãã
- ãžã³ãã©HttpDosãã£ã«ã¿ãŒé 延ããªã¹ - ãã®ã³ãã³ãã䜿çšãããšãåã®ã³ãã³ãã§æå®ããå¶éãè¶ ããæ¥ç¶ã®é 延ãããªç§åäœã§èšå®ã§ããŸãã管çè ã¯ãæŽæ°å€ã«å ããŠãé 延ããŸã£ãããªãããã« 0 ãæå®ããããæå®ãããå¶éãè¶ ãããã¹ãŠã®æ¥ç¶ãåçŽã«äžæãããããã« -1 ãæå®ãããã§ããŸããããã©ã«ãå€ã¯ -1 ã§ãã
- ãžã³ãã©Httpã¹ãããã«ã»ãŒãIP â ãã®ã³ãã³ãã䜿çšãããšã管çè ã¯äžèšã®å¶éã®åœ±é¿ãåããªãä¿¡é Œã§ãã IP ã¢ãã¬ã¹ãšãµãããããæå®ã§ããŸãããã®ã³ãã³ãã®æ§æã¯ãç®çã®çµæã«å¿ããŠç°ãªãå Žåãããããšã«æ³šæããŠãã ãããããšãã°ã次ã®ã³ãã³ããå ¥åãããšã zmprov mcf zimbraHttpThrottleSafeIPs 127.0.0.1ãéžæãããšããªã¹ãå šäœãå®å šã«äžæžããããIP ã¢ãã¬ã¹ã XNUMX ã€ã ãæ®ããŸããã³ãã³ããå ¥åãããš zmprov mcf +zimbraHttpThrottleSafeIPs 127.0.0.1, å ¥åãã IP ã¢ãã¬ã¹ããã¯ã€ã ãªã¹ãã«è¿œå ãããŸããåæ§ã«ãæžç®èšå·ã䜿çšãããšãèš±å¯ãªã¹ããã IP ãåé€ã§ããŸãã
Zextras Suite Pro æ¡åŒµæ©èœã䜿çšããå ŽåãDoSFilter ã«ãã£ãŠå€ãã®åé¡ãçºçããå¯èœæ§ãããããšã«æ³šæããŠãã ãããããããåé¿ããã«ã¯ã次ã®ã³ãã³ãã䜿çšããŠåææ¥ç¶æ°ã 30 ãã 100 ã«å¢ããããšããå§ãããŸãã zmprov mcf zimbraHttpDosFilterMaxRequestsPerSec 100ãããã«ãäŒæ¥ã®å éšãããã¯ãŒã¯ãèš±å¯ããããããã¯ãŒã¯ã®ãªã¹ãã«è¿œå ããããšããå§ãããŸããããã¯ã³ãã³ãã䜿çšããŠå®è¡ã§ããŸã zmprov mcf +zimbraHttpThrottleSafeIPs 192.168.0.0/24ã DoSFilter ã«å€æŽãå ããåŸã¯ãå¿ ã次ã®ã³ãã³ãã䜿çšããŠã¡ãŒã« ãµãŒããŒãåèµ·åããŠãã ããã zmmailboxdctlã®åèµ·å.
DoSFilter ã®äž»ãªæ¬ ç¹ã¯ãDoSFilter ãã¢ããªã±ãŒã·ã§ã³ ã¬ãã«ã§åäœãããããåãžã®æ¥ç¶èœåã¯å¶éããããæ»æè ããµãŒããŒäžã§ããŸããŸãªã¢ã¯ã·ã§ã³ãå®è¡ããèœåã®ã¿ãå¶éã§ããããšã§ãããã®ãããèªèšŒãã¬ã¿ãŒã®éä¿¡ã®ããã«ãµãŒããŒã«éä¿¡ããããªã¯ãšã¹ãã¯ãæããã«å€±æããŸãããäŸç¶ãšããŠå€ãè¯ã DoS æ»æã«çžåœããããããã®ãããªé«ãã¬ãã«ã§é»æ¢ããããšã¯ã§ããŸããã
Zimbra OSE ã§äŒæ¥ãµãŒããŒãå®å šã«ä¿è·ããã«ã¯ãFail2ban ãªã©ã®ãœãªã¥ãŒã·ã§ã³ã䜿çšã§ããŸããFail2ban ã¯ãæ å ±ã·ã¹ãã ã®ãã°ã§ç¹°ãè¿ãããã¢ã¯ã·ã§ã³ãåžžã«ç£èŠãããã¡ã€ã¢ãŠã©ãŒã«ã®èšå®ãå€æŽããŠäŸµå ¥è ããããã¯ã§ãããã¬ãŒã ã¯ãŒã¯ã§ãããã®ãããªäœã¬ãã«ã§ã®ãããã¯ã«ããããµãŒããŒãžã® IP æ¥ç¶ã®æ®µéã§æ»æè ãç¡å¹ã«ããããšãã§ããŸãããããã£ãŠãFail2Ban ã¯ãDoSFilter ã䜿çšããŠæ§ç¯ãããä¿è·ãå®å šã«è£å®ã§ããŸãã FailXNUMXBan ã Zimbra OSE ã«æ¥ç¶ããŠãäŒæ¥ã® IT ã€ã³ãã©ã¹ãã©ã¯ãã£ã®ã»ãã¥ãªãã£ã匷åããæ¹æ³ãèŠãŠã¿ãŸãããã
ä»ã®ãšã³ã¿ãŒãã©ã€ãºã¯ã©ã¹ã®ã¢ããªã±ãŒã·ã§ã³ãšåæ§ã«ãZimbra Collaboration Suite ãªãŒãã³ãœãŒã¹ ãšãã£ã·ã§ã³ã¯ããã®äœæ¥ã®è©³çŽ°ãªãã°ãä¿æããŸããã»ãšãã©ã¯ãã©ã«ãã«ä¿åãããŠããŸã /opt/ãžã³ãã©/ãã°/ ãã¡ã€ã«ã®åœ¢åŒã§ãããã§ã¯ãã®ãã¡ã®ã»ãã®äžéšã玹ä»ããŸãã
- mailbox.log â Jetty ã¡ãŒã« ãµãŒãã¹ã®ãã°
- Audit.log - èªèšŒãã°
- clamd.log â ãŠã€ã«ã¹å¯Ÿçæäœã®ãã°
- freshclam.log - ãŠã€ã«ã¹å¯Ÿçã¢ããããŒãã®ãã°
- Convertd.log â æ·»ä»ãã¡ã€ã«ã³ã³ããŒã¿ãŒã®ãã°
- zimbrastats.csv - ãµãŒããŒã®ããã©ãŒãã³ã¹ ãã°
Zimbra ãã°ããã¡ã€ã«å ã«ãããŸãã /var/log/zimbra.logãPostfixãšZimbraèªäœã®ãã°ãä¿åãããŸãã
ã·ã¹ãã ããã«ãŒããã©ãŒã¹ããå®ãããã«ã ã¡ãŒã«ããã¯ã¹.ãã°, ç£æ»ã㰠О ãžã³ãã©.ãã°.
ãã¹ãŠãæ©èœããããã«ã¯ãFail2Ban ãš iptables ã Zimbra OSE ãåãããµãŒããŒã«ã€ã³ã¹ããŒã«ãããŠããå¿ èŠããããŸãã Ubuntu ã䜿çšããŠããå Žåã¯ã次ã®ã³ãã³ãã䜿çšããŠãããè¡ãããšãã§ããŸãã dpkg -s ãã§ã€ã«2ãã³CentOS ã䜿çšããŠããå Žåã¯ã次ã®ã³ãã³ãã䜿çšããŠããã確èªã§ããŸãã yumãªã¹ããã€ã³ã¹ããŒã«ãããŸããfail2banããã®ããã±ãŒãžã¯ã»ãŒãã¹ãŠã®æšæºãªããžããªã§å©çšã§ãããããFail2Ban ãã€ã³ã¹ããŒã«ãããŠããªãå Žåã§ããã€ã³ã¹ããŒã«ããããšã¯åé¡ãããŸããã
å¿ èŠãªãœãããŠã§ã¢ããã¹ãŠã€ã³ã¹ããŒã«ãããããFail2Ban ã®ã»ããã¢ãããéå§ã§ããŸãããããè¡ãã«ã¯ãæ§æãã¡ã€ã«ãäœæããå¿ èŠããããŸã /etc/fail2ban/filter.d/zimbra.confããã§ã¯ãäžæ£ãªãã°ã€ã³è©Šè¡ãšäžèŽããFail2Ban ã¡ã«ããºã ãããªã¬ãŒãã Zimbra OSE ãã°ã®æ£èŠè¡šçŸãèšè¿°ããŸãã以äžã¯ãèªèšŒè©Šè¡ã倱æãããšãã« Zimbra OSE ãã¹ããŒããããŸããŸãªãšã©ãŒã«å¯Ÿå¿ããäžé£ã®æ£èŠè¡šçŸãå«ã zimbra.conf ã®å 容ã®äŸã§ãã
# Fail2Ban configuration file
[Definition]
failregex = [ip=<HOST>;] account - authentication failed for .* (no such account)$
[ip=<HOST>;] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=imap; error=authentication failed for .* invalid password;$
[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
ignoreregex =
Zimbra OSE ã®æ£èŠè¡šçŸãã³ã³ãã€ã«ãããããFail2ban èªäœã®èšå®ã®ç·šéãéå§ããŸãããã®ãŠãŒãã£ãªãã£ã®èšå®ã¯æ¬¡ã®ãã¡ã€ã«ã«ãããŸãã /etc/fail2ban/jail.confã念ã®ãããã³ãã³ãã䜿çšããŠããã¯ã¢ããã³ããŒãäœæããŸããã cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bakããã®åŸããã®ãã¡ã€ã«ãã»ãŒæ¬¡ã®åœ¢åŒã«çž®å°ããŸãã
# Fail2Ban configuration file
[DEFAULT]
ignoreip = 192.168.0.1/24
bantime = 600
findtime = 600
maxretry = 5
backend = auto
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected]]
logpath = /var/log/messages
maxretry = 5
[sasl-iptables]
enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected]]
logpath = /var/log/zimbra.log
[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=support@ company.ru]
ignoreregex = for myuser from
logpath = /var/log/messages
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, [email protected] ]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, [email protected]]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, [email protected]]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, [email protected]]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5
ãã®äŸã¯éåžžã«äžè¬çã§ãããFail2Ban ãèªåã§èšå®ãããšãã«å€æŽããå¿ èŠããããã©ã¡ãŒã¿ãŒã®ããã€ãã«ã€ããŠèª¬æãã䟡å€ã¯ãããŸãã
- ç¡èŠãã â ãã®ãã©ã¡ãŒã¿ã䜿çšãããšãFail2Ban ãã¢ãã¬ã¹ããã§ãã¯ããªãç¹å®ã® IP ãŸãã¯ãµãããããæå®ã§ããŸããéåžžãäŒæ¥ã®å éšãããã¯ãŒã¯ããã³ãã®ä»ã®ä¿¡é Œã§ããã¢ãã¬ã¹ã¯ãç¡èŠãããã¢ãã¬ã¹ã®ãªã¹ãã«è¿œå ãããŸãã
- ãã³ã¿ã€ã â éåè ãåºå Žåæ¢ãšãªãæéãç§åäœã§æž¬å®ãããŸããå€ -1 ã¯æ°žä¹ çŠæ¢ãæå³ããŸãã
- ããã¯ã¹ãªãã©ã€ â XNUMX ã€ã® IP ã¢ãã¬ã¹ããµãŒããŒãžã®ã¢ã¯ã»ã¹ãè©Šè¡ã§ããæ倧åæ°ã
- ã»ã³ãã¡ãŒã« â Fail2Ban ãããªã¬ãŒããããšãã«é»åã¡ãŒã«éç¥ãèªåçã«éä¿¡ã§ããããã«ããèšå®ã
- ãã¡ã€ã³ãã¿ã€ã â è©Šè¡å€±æã®æ倧åæ°ã«éããåŸãIP ã¢ãã¬ã¹ããµãŒããŒãžã®ã¢ã¯ã»ã¹ãåè©Šè¡ã§ãããŸã§ã®æéééãèšå®ã§ããèšå® (maxretry ãã©ã¡ãŒã¿ãŒ)
Fail2Ban èšå®ã䜿çšããŠãã¡ã€ã«ãä¿åããåŸã¯ã次ã®ã³ãã³ãã䜿çšããŠãã®ãŠãŒãã£ãªãã£ãåèµ·åããã ãã§ãã ãµãŒãã¹fail2banã®åèµ·åãåèµ·ååŸãã¡ã€ã³ã® Zimbra ãã°ã¯æ£èŠè¡šçŸãžã®æºæ ã«ã€ããŠåžžã«ç£èŠããå§ããŸãããã®ãããã§ã管çè ã¯ãæ»æè ã Zimbra Collaboration Suite ãªãŒãã³ãœãŒã¹ ãšãã£ã·ã§ã³ã®ã¡ãŒã«ããã¯ã¹ã«äŸµå ¥ããå¯èœæ§ãå®è³ªçã«æé€ã§ããã ãã§ãªããZimbra OSE å ã§å®è¡ãããŠãããã¹ãŠã®ãµãŒãã¹ãä¿è·ããäžæ£ã¢ã¯ã»ã¹ãååŸããè©Šã¿ã«ã泚æããããšãã§ããŸãã ã
Zextras Suite ã«é¢ãããã¹ãŠã®è³ªåã«ã€ããŠã¯ãZextras Ekaterina Triandafilidi ã®ä»£è¡šè
ã«é»åã¡ãŒã«ã§ãåãåãããã ããã [ã¡ãŒã«ä¿è·]
åºæïŒ habr.com