Dzivirira Zimbra OSE kubva kune hutsinye simba uye DoS kurwiswa

Zimbra Collaboration Suite Open-Source Edition ine akati wandei maturusi ane simba kuti ave nechokwadi chekuchengetedza ruzivo. Pakati pavo Postscreen - mhinduro yekudzivirira mail server kubva pakurwiswa kubva ku botnets, ClamAV - antivirus iyo inogona kuongorora mafaera anouya uye mabhii ekutapukirwa nemapurogiramu akaipa, pamwe chete SpamAssassin - imwe yeakanakisa spam mafirita nhasi. Nekudaro, maturusi aya haakwanise kuchengetedza Zimbra OSE kubva mukurwiswa nechisimba. Kwete iyo yakanakisa, asi ichiri kunyatsoshanda, hutsinye-kumanikidza mapassword uchishandisa rakakosha duramazwi haina kuzara kwete chete nemukana wekubudirira kubira nemhedzisiro yese inotevera, asiwo nekugadzirwa kwemutoro wakakosha pane server, iyo inogadzirisa zvese. kusabudirira kuedza kubaya server neZimbra OSE.

Muchokwadi, iwe unogona kuzvidzivirira kubva kune brute simba uchishandisa yakajairwa Zimbra OSE maturusi. Iyo password yekuchengetedza mutemo zvigadziriso zvinokutendera iwe kuseta iyo nhamba yekusabudirira yekupinda password yekuedza, mushure meiyo iyo inogona kurwiswa account yakavharwa. Dambudziko guru neiyi nzira nderekuti mamiriro ezvinhu anomuka umo maakaundi emumwe kana akawanda mushandi anogona kuvharwa nekuda kwekurwiswa kwechisimba kwaasina chekuita, uye inokonzeresa kuderera kwebasa revashandi kunogona kuunza kurasikirwa kukuru kune. kambani. Ndicho chikonzero nei zviri nani kusashandisa iyi sarudzo yekudzivirira kubva kune brute force.

Kuti udzivirire kubva kune hutsinye simba, chishandiso chakakosha chinodaidzwa kuti DoSFilter chakanyatso kukodzera, icho chakavakirwa muZimbra OSE uye chinogona kumisa chinongedzo kuZimbra OSE kuburikidza neHTTP. Mune mamwe mazwi, mutemo wekushanda weDoSFilter wakafanana nemutemo wekushanda wePostScreen, chete inoshandiswa kune imwe protocol. Pakutanga yakagadzirirwa kudzikamisa nhamba yezviito zvinogona kuitwa nemushandisi mumwe chete, DoSFilter inogona kupawo brute simba rekudzivirira. Musiyano waro wakakosha kubva pachishandiso chakavakwa muZimbra ndechekuti mushure meimwe nhamba yekuedza kusingabudiriri, haivharidzi mushandisi pachake, asi iyo IP kero kubva iyo yakawanda kuedza kunoitwa kupinda mune imwe account. Nekuda kweizvi, maneja wehurongwa haango dzivirira kubva kune hutsinye simba, asiwo kudzivirira kuvharira vashandi vekambani nekungowedzera network yemukati yekambani yake kune runyorwa rweakavimbika IP kero uye subnets.

Mukana wakakura weDoSFilter ndewekuti pamusoro pekuedza kwakawanda kupinda mune imwe account, uchishandisa chishandiso ichi unogona kuvharidzira otomatiki avo vanorwisa vakatora data rechokwadi revashandi, vobva vapinda muakaundi yake vakabudirira ndokutanga kutumira mazana ezvikumbiro. ku server.

Iwe unogona kugadzirisa DoSFilter uchishandisa inotevera console mirairo:

• zimbraHttpDosFilterMaxRequestsPerSec - Uchishandisa uyu murairo, unogona kuseta huwandu hwakanyanya hwekubatanidza hunobvumidzwa kune mumwe mushandisi. By default kukosha uku ndiko 30 kubatana.
• zimbraHttpDosFilterDelayMillis - Uchishandisa uyu murairo, unogona kuseta kunonoka mumamilliseconds ekubatanidza ayo anodarika muganho wakataurwa nemurairo wapfuura. Pamusoro pehuwandu hunokosha, mutungamiri anogona kutsanangura 0, kuitira kuti pasave nekunonoka zvachose, uye -1, kuitira kuti zvibatanidza zvose zvinopfuura muganhu wakatarwa zvinongovhiringidzwa. Iko kukosha kwekutanga ndeye -1.
• zimbraHttpThrottleSafeIPs -Achishandisa uyu murairo, maneja anogona kudoma akavimbika IP kero uye ma subnets asingazove pasi pezvirambidzo zvakanyorwa pamusoro. Ziva kuti syntax yemurairo uyu inogona kusiyana zvichienderana nemhedzisiro yaunoda. Saka, semuenzaniso, nekupinda murairo zmprov mcf zimbraHttpThrottleSafeIPs 127.0.0.1, iwe unozonyora pamusoro pese runyorwa uye kusiya imwe chete IP kero mairi. Kana iwe ukapinda murairo zmprov mcf +zimbraHttpThrottleSafeIPs 127.0.0.1, IP kero yawakaisa ichawedzerwa kune chena runyorwa. Saizvozvo, uchishandisa chiratidzo chekubvisa, unogona kubvisa chero IP kubva pane inobvumidzwa runyorwa.

Ndokumbira utarise kuti DoSFilter inogona kugadzira akati wandei matambudziko kana uchishandisa Zextras Suite Pro ekuwedzera. Kuti tidzivise, tinokurudzira kuwedzera huwandu hwekubatanidza panguva imwe chete kubva pa30 kusvika ku100 uchishandisa murairo. zmprov mcf zimbraHttpDosFilterMaxRequestsPerSec 100. Uye zvakare, isu tinokurudzira kuwedzera iyo bhizinesi yemukati network kune rondedzero yevanotenderwa. Izvi zvinogona kuitwa uchishandisa murairo zmprov mcf +zimbraHttpThrottleSafeIPs 192.168.0.0/24. Mushure mekuita chero shanduko kuDoSFilter, iva nechokwadi chekutangisa mail yako server uchishandisa rairo zmmailboxdctl restart.

Chinhu chikuru chakashata cheDoSFilter ndechekuti inoshanda padanho rekushandisa uye saka inogona kungodzikamisa kugona kwevanorwisa kuita zviito zvakasiyana-siyana pane sevha, pasina kudzikisira kugona kubatanidza kuchamhembe. Nekuda kweizvi, zvikumbiro zvinotumirwa kune sevha yechokwadi kana kutumira mabhii, kunyangwe ivo vachizokundikana sezviri pachena, zvicharamba zvichimiririra yakanaka yekare kurwisa kweDoS, iyo isingagoni kumiswa padanho rakadaro.

Kuti uchengetedze zvakakwana sevha yako yekambani neZimbra OSE, unogona kushandisa mhinduro yakadai seFail2ban, inova dhizaini inogona kugara ichitarisa matanda ehurongwa hwemashoko ezviito zvinodzokororwa uye kuvharira mupinyi nekushandura magadzirirwo emoto. Kuvharira padanho rakaderera zvakadaro rinokutendera kudzima vanorwisa padanho reiyo IP yekubatanidza kune server. Saka, Fail2Ban inogona kunyatso zadzisa dziviriro yakavakwa uchishandisa DoSFilter. Ngatione kuti ungabatanidza sei Fail2Ban neZimbra OSE uye nekudaro uwedzere kuchengetedzeka kwebhizinesi rako IT zvivakwa.

Kufanana nechero imwe bhizinesi-kirasi application, Zimbra Collaboration Suite Open-Source Edition inochengeta matanda akadzama ebasa rayo. Mazhinji acho akachengetwa muforodha /opt/zimbra/log/ muchimiro chemafaira. Heano mashoma acho chete:

• mailbox.log - Jetty mail service logs
• audit.log - authentication logs
• clamd.log - antivirus oparesheni matanda
• freshclam.log - antivirus update logs
• convertd.log - dhizaini inoshandura matanda
• zimbrastats.csv - server performance logs

Zimbra matanda anogonawo kuwanikwa mufaira /var/log/zimbra.log, uko matanda ePostfix neZimbra pachayo anochengetwa.

Kuti tidzivirire sisitimu yedu kubva kune brute force, isu tichaongorora mailbox.log, audit.log и zimbra.log.

Kuti zvese zvishande, zvinodikanwa kuti Fail2Ban uye iptables iiswe pane yako server neZimbra OSE. Kana uri kushandisa Ubuntu, unogona kuita izvi uchishandisa mirairo dpkg -s fail2ban, kana ukashandisa CentOS, unogona kutarisa izvi uchishandisa mirairo yum list yakaiswa fail2ban. Kana iwe usina Fail2Ban yakaiswa, saka kuiisa hakuzove dambudziko, sezvo pasuru iyi inowanikwa mune dzinenge dzese dzakajairika repositori.

Kana software yese inodiwa yaiswa, unogona kutanga kuseta Fail2Ban. Kuti uite izvi iwe unofanirwa kugadzira faira yekumisikidza /etc/fail2ban/filter.d/zimbra.conf, umo isu tichanyora zvirevo zvenguva dzose zveZimbra OSE matanda anozoenderana neasina kurongeka kuedza kwekupinda uye kukonzeresa Fail2Ban maitiro. Heino muenzaniso wezviri mukati zimbra.conf ine seti yezvimiro zvekutaura zvinoenderana nezvikanganiso zvakasiyana izvo Zimbra OSE inokanda kana kuedza kwechokwadi kwakundikana:

# Fail2Ban configuration file
 
[Definition]
failregex = [ip=<HOST>;] account - authentication failed for .* (no such account)$
                        [ip=<HOST>;] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=imap; error=authentication failed for .* invalid password;$
                        [oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
                        WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$

ignoreregex =

Kana mataurirwo eZimbra OSE achinge agadzirwa, yave nguva yekutanga kugadzirisa iyo Fail2ban pachayo. Zvigadziriso zvekushandisa iyi zviri mufaira /etc/fail2ban/jail.conf. Zvingoitika, ngatiite backup kopi yayo tichishandisa murairo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak. Mushure meizvozvo, isu tichadzikisa iyi faira kusvika kune anotevera fomu:

# Fail2Ban configuration file
 
[DEFAULT]
ignoreip = 192.168.0.1/24
bantime = 600
findtime = 600
maxretry = 5
backend = auto
 
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected]]
logpath = /var/log/messages
maxretry = 5
 
[sasl-iptables]
enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected]]
logpath = /var/log/zimbra.log
 
[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=support@ company.ru]
ignoreregex = for myuser from
logpath = /var/log/messages
 
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, [email protected] ]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
 
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, [email protected]]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
 
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, [email protected]]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5
 
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, [email protected]]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5

Kunyangwe uyu muenzaniso wakanyanya generic, uchiri kukosha kutsanangura mamwe maparamita aungade kushandura kana uchiseta Fail2Ban wega:

• Ignoreip - Uchishandisa iyi parameter unogona kutsanangura imwe ip kana subnet kubva iyo Fail2Ban isingafanirwe kutarisa kero. Sekutonga, iyo yemukati network yebhizinesi uye mamwe maadero akavimbika anowedzerwa kune rondedzero yevasina hanya.
• Bantime — Nguva icharambidzwa mupari wemhosva. Kupimwa mumasekonzi. Kukosha kwe -1 kunoreva kurambidzwa zvachose.
• Maxretry - Iyo yakawanda nhamba yenguva imwe IP kero inogona kuedza kuwana sevha.
• sendmail -Kurongeka kunokubvumira kuti utumire otomatiki zviziviso zveemail kana Fail2Ban yatanga.
• Findtime -Kuseta kunobvumidza iwe kuseta nguva yenguva mushure meiyo IP kero inogona kuyedza kuwana sevha zvakare mushure mekunge huwandu hwepamusoro hwekuedza husina kubudirira hwapera (maxretry parameter)

Mushure mekuchengetedza faira neFail2Ban marongero, chasara kutangazve iyi yekushandisa uchishandisa rairo service fail2ban kutangazve. Mushure mekutangisazve, iwo makuru eZimbra matanda anozotanga kugara achitariswa kuti atevedzwe neanogara achitaurwa. Nekuda kweizvi, maneja achakwanisa kubvisa chero mukana weanorwisa kupinda kwete chete Zimbra Collaboration Suite Open-Source Edition mabhokisi etsamba, asiwo kudzivirira masevhisi ese ari kushanda mukati meZimbra OSE, uye zvakare ziva nezve chero kuedza kuwana kusingatenderwe kupinda. .

Pamibvunzo yese ine chekuita neZextras Suite, unogona kubata Zextras Representative Ekaterina Triandafilidi neemail. [email inodzivirirwa]

Source: www.habr.com