Zimbra Collaboration Suite Daabacaadda Isha Furan waxay leedahay dhowr qalab oo awood badan si loo xaqiijiyo amniga macluumaadka. Iyaga ka mid ah - xal loogu talagalay ilaalinta server-ka boostada weerarrada botnets, ClamAV - antivirus kaas oo iskaan kara faylasha iyo waraaqaha soo galaya caabuqa barnaamijyada xaasidnimada leh, iyo sidoo kale - mid ka mid ah filtarrada spam ugu fiican maanta. Si kastaba ha ahaatee, qalabkani ma awoodaan inay Zimbra OSE ka ilaaliyaan weerarrada xoogga ah. Ma aha kuwa ugu quruxda badan, laakiin weli wax ku ool ah, furaha sirta ah ee qasabka ah iyadoo la adeegsanayo qaamuus gaar ah ma aha oo kaliya suurtagalnimada jabsiga guuleysiga dhammaan cawaaqibta soo socota, laakiin sidoo kale abuurista culeys weyn oo ku saabsan server-ka, kaas oo ka shaqeeya dhammaan isku day aan lagu guulaysan in lagu jabsado server-ka Zimbra OSE.
Mabda 'ahaan, waxaad naftaada ka ilaalin kartaa xoogga cadawga adoo isticmaalaya qalabka Zimbra OSE ee caadiga ah. Dejinta siyaasadda amniga erayga sirta ah waxay kuu oggolaanaysaa inaad dejiso tirada isku dayga sirta ah ee aan guulaysan, ka dib koontada suurtagalka ah ee la weeraray waa la xannibay. Dhibaatada ugu weyn ee habkan ayaa ah in ay soo baxaan xaalado ay dhici karto in la xannibo xisaabaadka hal ama dhowr qof oo shaqaale ah sababo la xiriira weerarro xoog leh oo aysan waxba ka qaban, taas oo ka dhalata hoos u dhaca shaqada ee shaqaalaha ayaa keeni karta khasaare ballaaran. Shirkadda. Taasi waa sababta ay ugu wanaagsan tahay in aan la isticmaalin doorashadan ka-hortagga xoogga.
Si looga gaashaanto xoogga caasinimada ah, qalab gaar ah oo la yiraahdo DoSFilter ayaa aad ugu habboon, kaas oo lagu dhex dhisay Zimbra OSE oo si toos ah u joojin kara xiriirka Zimbra OSE iyadoo loo sii marayo HTTP. Si kale haddii loo dhigo, mabda'a hawlgalka ee DoSFilter wuxuu la mid yahay mabda'a hawlgalka ee PostScreen, kaliya waxaa loo isticmaalaa nidaam ka duwan. Asal ahaan loogu talagalay in lagu xaddido tirada ficillada hal isticmaale kaliya uu sameyn karo, DoSFilter wuxuu kaloo bixin karaa difaac xoog leh. Farqiga ugu muhiimsan ee ay u leedahay qalabka lagu dhisay Zimbra waa in ka dib markii tiro go'an oo isku day ah oo aan lagu guulaysan, ma xannibayso isticmaalaha laftiisa, laakiin ciwaanka IP-ga kaas oo la isku dayo in la galo xisaab gaar ah. Waad ku mahadsan tahay tan, maamulaha nidaamku kaliya kama ilaalin karo xoog xoog leh, laakiin sidoo kale iska ilaalinaya xannibaadda shaqaalaha shirkadda isagoo si fudud ugu daraya shabakadda gudaha ee shirkadiisa liiska cinwaannada IP-ga ee lagu kalsoon yahay iyo shabakadaha hoose.
Faa'iidada ugu weyn ee DoSFilter ayaa ah in marka lagu daro isku dayo badan oo lagu galo akoon gaar ah, adigoo isticmaalaya qalabkan waxaad si toos ah u xannibi kartaa kuwa weeraray ee qabsaday xogta aqoonsiga shaqaalaha, ka dibna si guul leh u soo galay akoonkiisa oo bilaabay inuu diro boqolaal codsi. server-ka.
Waxaad u habeyn kartaa DoSfilter adigoo isticmaalaya amarrada soo socda ee console:
- zimbraHttpDosFilterMaxRequestsPerSec - Isticmaalka amarkan, waxaad dejin kartaa tirada ugu badan ee isku xirka loo oggol yahay hal isticmaale. Sida caadiga ah qiimahani waa 30 xiriiriye.
- zimbraHttpDosFilterDelayMillis Isticmaalka amarkan, waxaad dejin kartaa daahitaanka millise seconds ee isku xirka dhaafi doona xadka lagu qeexay amarkii hore. Marka lagu daro qiyamka isku-dhafka ah, maamuluhu wuxuu cayimi karaa 0 si aysan u dhicin dib u dhac, iyo sidoo kale -1 si dhammaan xiriirada ka sarreeya xadka la cayimay ay si fudud u go'aan. Qiimaha caadiga ah waa -1.
- zimbraHttpThrottleSafeIPs - Adeegsiga amarkan, maamuluhu wuxuu cayimi karaa ciwaannada IP-ga ee la aamini karo iyo shabakadaha hoose ee aan hoos iman doonin xannibaadaha kor ku taxan. Ogsoonow in qoraalka amarkan uu kala duwanaan karo iyadoo ku xiran natiijada la rabo. Marka, tusaale ahaan, adoo galaya amarka zmprov mcf zimbraHttpThrottleSafeIPs 127.0.0.1, waxaad gabi ahaanba dib u qori doontaa liiska oo dhan waxaadna kaga tagi doontaa hal ciwaanka IP kaliya. Haddii aad gasho amarka zmprov mcf +zimbraHttpThrottleSafeIPs 127.0.0.1, Ciwaanka IP-ga aad gelisay waxaa lagu dari doonaa liiska cad. Sidoo kale, adigoo isticmaalaya calaamadda kala-goynta, waxaad ka saari kartaa IP kasta liiska la oggol yahay.
Fadlan ogow in DoSFilter uu abuuri karo tiro dhibaatooyin ah marka la isticmaalayo kordhinta Zextras Suite Pro. Si looga fogaado iyaga, waxaan ku talineynaa in la kordhiyo tirada isku xirka isku mar laga bilaabo 30 ilaa 100 iyadoo la adeegsanayo amarka zmprov mcf zimbraHttpDosFilterMaxRequestsPerSec 100. Intaa waxaa dheer, waxaan kugula talineynaa in lagu daro shabakada gudaha ee ganacsiga liiska kuwa la oggol yahay. Tan waxaa lagu samayn karaa iyadoo la isticmaalayo amarka zmprov mcf +zimbraHttpThrottleSafeIPs 192.168.0.0/24. Ka dib markaad wax isbeddel ah ku sameyso DoSFilter, hubi inaad dib u bilowdo server-kaaga boostada adoo isticmaalaya amarka zmmailboxdctl dib u bilow.
Dhibaatada ugu weyn ee DoSFilter waa in ay ka shaqeyso heerka codsiga sidaas darteedna waxay xaddidi kartaa oo kaliya awoodda weeraryahannada si ay u fuliyaan ficillo kala duwan oo ku saabsan server-ka, iyada oo aan la xaddidin awoodda lagu xiro waqooyiga. Sababtan awgeed, codsiyada loo diro server-ka si loo xaqiijiyo ama loo diro waraaqo, in kasta oo ay si cad u fashilmi doonaan, waxay weli u taagan yihiin weerar hore oo DoS ah, oo aan la joojin karin heerkaas sare.
Si aad si buuxda ugu ilaaliso server-kaaga shirkadda Zimbra OSE, waxaad isticmaali kartaa xal sida Fail2ban, kaas oo ah qaab-dhismeed si joogto ah ula socon kara diiwaannada nidaamka macluumaadka falalka soo noqnoqda oo xannibaya qofka soo galay adigoo beddelaya goobaha dab-damiska. Xannibaadda heerkan hoose waxay kuu ogolaanaysaa inaad joojiso weeraryahannada isla markaaba heerka xidhiidhka IP-ga ee server-ka. Markaa, Fail2Ban waxay si fiican u buuxin kartaa ilaalinta la dhisay iyadoo la adeegsanayo DoSFilter. Aynu ogaano sida aad Fail2Ban ugu xidhi karto Zimbra OSE oo aad kor ugu qaaddo ammaanka kaabayaasha IT-ga ee shirkaddaada.
Sida codsi kasta oo kale oo heer ganacsi ah, Zimbra Collaboration Suite Edition Open-Source Edition waxa uu hayaa qoraallo faahfaahsan oo shaqadiisa ah. Intooda badan waxay ku kaydsan yihiin galka /opt/zimbra/log/ qaab faylal ah. Waa kuwan dhowr ka mid ah:
- mailbox.log — Jetty mail logs
- audit.log - diiwaanka xaqiijinta
- clamd.log - diiwaanka hawlgalka antivirus
- freshclam.log - diiwaanka update antivirus
- convertd.log - lifaaqa beddelka qoraallada
- zimbrastats.csv - diiwaanka waxqabadka serverka
Diiwaanka Zimbra sidoo kale waxaa laga heli karaa faylka /var/log/zimbra.log, halkaasoo diiwaannada Postfix iyo Zimbra lafteeda lagu hayo.
Si aan nidaamkayaga uga ilaalinno xoog wax-ku-ool ah, waan la socon doonnaa mailbox.log, hantidhawr.log и zimbra.log.
Si wax walba u shaqeeyaan, waxaa lagama maarmaan ah in Fail2Ban iyo iptables lagu rakibo server-kaaga Zimbra OSE. Haddii aad isticmaalayso Ubuntu, waxaad samayn kartaa tan adoo isticmaalaya amarrada dpkg -s failure2ban, haddii aad isticmaasho CentOS, waxaad ku hubin kartaa tan adoo isticmaalaya amarrada yum liiska rakibay fail2ban. Haddii aadan ku rakibin Fail2Ban, ka dib rakibidda dhib ma noqon doonto, maadaama xirmadan laga heli karo ku dhawaad dhammaan xarumaha caadiga ah.
Marka dhammaan software-yada lagama maarmaanka ah la rakibo, waxaad bilaabi kartaa dejinta Fail2Ban. Si aad tan u sameyso waxaad u baahan tahay inaad abuurto faylka qaabeynta /etc/fail2ban/filter.d/zimbra.conf, kaas oo aan ku qori doono tibaaxo joogto ah oo loogu talagalay diiwaannada Zimbra OSE ee ku habboon isku dayga galitaanka ee khaldan oo kicin doona hababka Fail2Ban. Waa kuwan tusaale ka mid ah waxa ku jira zimbra.conf oo wata tibaaxo joogto ah oo u dhigma khaladaadka kala duwan ee ay Zimbra OSE tuurto marka isku dayga xaqiijinta uu guul-darraysto:
# Fail2Ban configuration file
[Definition]
failregex = [ip=<HOST>;] account - authentication failed for .* (no such account)$
[ip=<HOST>;] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=imap; error=authentication failed for .* invalid password;$
[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
ignoreregex =Marka tibaaxaha caadiga ah ee Zimbra OSE la ururiyo, waa waqtigii la bilaabi lahaa tafatirka qaabaynta Fail2ban lafteeda. Dejinta utility this waxay ku yaalaan faylka /etc/fail2ban/jail.conf. Haddii ay dhacdo, aynu ka samayno koobi gurmad ah anagoo adeegsanayna amarka cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak. Intaa ka dib, waxaanu u yarayn doonaa faylkan ilaa foomkan soo socda:
# Fail2Ban configuration file
[DEFAULT]
ignoreip = 192.168.0.1/24
bantime = 600
findtime = 600
maxretry = 5
backend = auto
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=admin@company.ru, sender=fail2ban@company.ru]
logpath = /var/log/messages
maxretry = 5
[sasl-iptables]
enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=support@company.ru]
logpath = /var/log/zimbra.log
[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=support@ company.ru]
ignoreregex = for myuser from
logpath = /var/log/messages
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, dest=support@company.ru ]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=support@company.ru]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=support@company.ru]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=support@company.ru]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5In kasta oo tusaalahani uu yahay mid guud, haddana waxaa mudan in la sharaxo qaar ka mid ah cabbirrada laga yaabo inaad rabto inaad beddesho marka aad naftaada dejinayso Fail2Ban:
- Iska daa - Adigoo isticmaalaya halbeeg-gan, waxaad cayimi kartaa ip ama subnet gaar ah oo Fail2Ban aanu ka hubin cinwaannada. Sida caadiga ah, shabakada gudaha ee ganacsiga iyo cinwaanada kale ee lagu kalsoon yahay ayaa lagu daraa liiska kuwa la iska indho-tiray.
- Bantime - Waqtiga dembiilaha la mamnuuci doono. Lagu cabiray ilbidhiqsiyo gudahood Qiimaha -1 macnaheedu waa mamnuucid joogto ah.
- Maxretry - Inta ugu badan ee hal ciwaanka IP ah ayaa isku dayi kara inuu galo server-ka.
- Soo dir - Goob kuu oggolaanaysa inaad si toos ah u soo dirto ogeysiisyada iimaylka marka Fail2Ban la kiciyo.
- Waqtiga lahelo - Goob kuu ogolaanaysa inaad dejiso muddada u dhaxaysa ka dib ciwaanka IP-gu wuxuu isku dayi karaa inuu galo server-ka mar labaad ka dib markii tirada ugu badan ee isku dayga aan lagu guulaysan la daalaa (maxretry parameter)
Ka dib markaad faylka ku kaydiso goobaha Fail2Ban, waxa hadhay oo dhan waa in dib loo bilaabo utility-gan iyadoo la isticmaalayo amarka service fail2ban dib u bilow. Ka dib dib-u-bilawga, diiwaannada Zimbra ee ugu muhiimsan waxay bilaabi doonaan in si joogto ah loola socdo si loogu hoggaansamo tibaaxaha caadiga ah. Mahadsanid tan, maamuluhu waxa uu awood u yeelan doonaa in uu si dhab ah u baabi'iyo suurtogalnimada kasta oo weeraryahanku soo galo kaliya ma aha Zimbra Collaboration Suite Open-Source Edition sanduuqyada boostada, laakiin sidoo kale waxa uu ilaalin doonaa dhammaan adeegyada ka dhex socda Zimbra OSE, iyo sidoo kale ka digtoonow isku day kasta oo lagu galo gelitaanka aan la ogalayn. .
Dhammaan su'aalaha la xiriira Zextras Suite, waxaad kala xiriiri kartaa wakiilka Zextras Ekaterina Triandafilidi iimaylka katerina@zextras.com
Source: www.habr.com
