ProHoster > Ibhulogi > Ulawulo > Khusela i-Zimbra OSE kumkhosi okhohlakeleyo kunye nohlaselo lwe-DoS

Khusela i-Zimbra OSE kumkhosi okhohlakeleyo kunye nohlaselo lwe-DoS

IZimbra Collaboration Suite Open-Source Edition inezixhobo ezininzi ezinamandla zokuqinisekisa ukhuseleko lolwazi. Phakathi kwabo Isikrini seposi -isisombululo sokukhusela i-imeyile ekuhlaselweni kwi-botnets, i-ClamAV - i-antivirus ekwazi ukuskena iifayile ezingenayo kunye neeleta zokusuleleka ngeenkqubo ezinobungozi, kunye SpamAssassin -enye yezona zihluzo zibalaseleyo ze-spam namhlanje. Nangona kunjalo, ezi zixhobo azikwazi ukukhusela i-Zimbra OSE kuhlaselo lwamandla. Ayisiyiyo eyona nto intle, kodwa isasebenza kakuhle, amagama ayimfihlo anyanzeliswa ngoburhalarhume usebenzisa isichazi-magama esikhethekileyo agcwalanga nje ukuba nokwenzeka kokuqhekezwa ngempumelelo nazo zonke iziphumo ezilandelayo, kodwa kunye nokudalwa komthwalo obalulekileyo kumncedisi, oqhuba zonke. imizamo engaphumelelanga yokukhangela umncedisi nge Zimbra OSE.

Khusela i-Zimbra OSE kumkhosi okhohlakeleyo kunye nohlaselo lwe-DoS

Ngokomgaqo, unokuzikhusela kumandla akhohlakeleyo usebenzisa izixhobo eziqhelekileyo zeZimbra OSE. Imimiselo yomgaqo-nkqubo wokhuseleko lwephasiwedi ikuvumela ukuba usete inani leenzame zokungeniswa kwegama lokugqitha ezingaphumelelanga, emva kokuba i-akhawunti enokuthi ihlaselwe ivalwe. Ingxaki ephambili ngale ndlela kukuba iimeko zivela apho iiakhawunti zomqeshwa omnye okanye ngaphezulu zinokuvalwa ngenxa yohlaselo oluqatha olungenanto yakwenza nalo, kwaye ukwehla okubangelwa koku emsebenzini wabasebenzi kunokuzisa ilahleko enkulu. IKHAMPANI. Yiyo loo nto kungcono ukuba ungasebenzisi olu khetho lokhuseleko kumandla akhohlakeleyo.

Khusela i-Zimbra OSE kumkhosi okhohlakeleyo kunye nohlaselo lwe-DoS

Ukukhusela kumandla akhohlakeleyo, isixhobo esikhethekileyo esibizwa ngokuba yiDoSFilter silunge ngakumbi, esakhelwe kwiZimbra OSE kwaye inokuphelisa ngokuzenzekelayo uqhagamshelo kwiZimbra OSE ngeHTTP. Ngamanye amazwi, umgaqo wokusebenza we-DoSFilter ufana nomgaqo wokusebenza we-PostScreen, kuphela isetyenziselwa iprotocol eyahlukileyo. Ekuqaleni yayiyilwe ukunciphisa inani lezenzo ezinokwenziwa ngumsebenzisi omnye, i-DoSFilter inokubonelela ngokhuseleko lwamandla. Ukwahlukana kwayo okuphambili kwisixhobo esakhiwe kwi-Zimbra kukuba emva kwenani elithile lemizamo engaphumeleli, ayivimbeli umsebenzisi ngokwakhe, kodwa idilesi ye-IP apho iinzame ezininzi zenziwa ukungena kwi-akhawunti ethile. Ndiyabulela kule nto, umlawuli wenkqubo akakwazi ukukhusela kuphela kumandla akhohlakeleyo, kodwa kwakhona ukuphepha ukuvala abasebenzi benkampani ngokudibanisa nje inethiwekhi yangaphakathi yenkampani yakhe kuluhlu lweedilesi ze-IP ezithembekileyo kunye nee-subnets.

Inzuzo enkulu ye-DoSFilter kukuba ukongeza kwiinzame ezininzi zokungena kwiakhawunti ethile, usebenzisa esi sixhobo unokuvala ngokuzenzekelayo abo bahlaseli bathathe idatha yokuqinisekisa yomqeshwa, emva koko ungene ngempumelelo kwiakhawunti yakhe kwaye waqala ukuthumela amakhulu ezicelo. kumncedisi.

Ungaqwalasela iDoSFilter usebenzisa le miyalelo yekhonsoli ilandelayo:

  • zimbraHttpDosFilterMaxRequestsPerSec — Ngokusebenzisa lo myalelo, unokuseta elona nani liphezulu loqhagamshelo oluvumelekileyo kumsebenzisi omnye. Ngokungagqibekanga eli xabiso ngama-30 odibaniso.
  • zimbraHttpDosFilterDelayMillis - Usebenzisa lo myalelo, unokuseta ukulibaziseka kwiimillisecond zoqhagamshelwano oluya kudlula umda ochazwe ngumyalelo wangaphambili. Ukongeza kumaxabiso apheleleyo, umlawuli angachaza u-0, ukuze kungabikho kulibaziseka konke konke, kwaye -1, ukuze lonke udibaniso olungaphaya komda ochaziweyo luphazamiseke ngokulula. Ixabiso elimiselweyo ngu -1.
  • zimbraHttpThrottleSafeIPs — Ukusebenzisa lo myalelo, umlawuli unokucacisa iidilesi ze-IP ezithembekileyo kunye nee-subnets ezingayi kuba phantsi kwezithintelo ezidweliswe ngasentla. Qaphela ukuba isivakalisi salo myalelo sinokwahluka ngokuxhomekeke kwisiphumo esifunekayo. Ngoko, umzekelo, ngokufaka umyalelo zmprov mcf zimbraHttpThrottleSafeIPs 127.0.0.1, uya kulubhala ngaphezulu ngokupheleleyo lonke uluhlu kwaye ushiye idilesi ye-IP enye kuphela kuyo. Ukuba ufaka umyalelo zmprov mcf +zimbraHttpThrottleSafeIPs 127.0.0.1, idilesi ye-IP oyingenisileyo iya kongezwa kuluhlu olumhlophe. Ngokufanayo, usebenzisa uphawu lokuthabatha, unokususa nayiphi na i-IP kuluhlu oluvunyelweyo.

Nceda uqaphele ukuba iDoSFilter inokwenza inani leengxaki xa usebenzisa izandiso zeZextras Suite Pro. Ukuze uziphephe, sincoma ukwandisa inani loqhagamshelwano ngaxeshanye ukusuka kwi-30 ukuya kwi-100 usebenzisa umyalelo. zmprov mcf zimbraHttpDosFilterMaxRequestsPerSec 100. Ukongeza, sincoma ukongeza inethiwekhi yangaphakathi yeshishini kuluhlu lwabavunyelweyo. Oku kunokwenziwa ngokusebenzisa umyalelo zmprov mcf +zimbraHttpThrottleSafeIPs 192.168.0.0/24. Emva kokwenza naluphi na utshintsho kwi-DoSFilter, qiniseka ukuba uyiqalisa ngokutsha iseva yakho yemeyile usebenzisa umyalelo zmmailboxdctl qala kwakhona.

Ukungalungi okuphambili kwe-DoSFilter kukuba kusebenza kwinqanaba lesicelo kwaye ngoko ke kunokunciphisa kuphela amandla abahlaseli ukwenza izenzo ezahlukeneyo kumncedisi, ngaphandle kokunciphisa ukukwazi ukuxhuma ngasentla. Ngenxa yoko, izicelo ezithunyelwe kumncedisi wokuqinisekisa okanye ukuthumela iileta, nangona ziya kusilela ngokucacileyo, ziya kumela uhlaselo oluhle lwe-DoS oludala, olungenakumiswa kwinqanaba eliphezulu.

Ukuze ukhusele ngokupheleleyo umncedisi wakho wenkampani kunye ne-Zimbra OSE, ungasebenzisa isisombululo esifana ne-Fail2ban, okuyisakhelo esinokuhlala sibeka iliso kwiinkqubo zolwazi kwiinkqubo eziphindaphindiweyo kunye nokuthintela umngeneleli ngokutshintsha izicwangciso ze-firewall. Ukuvimba kwinqanaba eliphantsi elinjalo likuvumela ukuba ukhubaze abahlaseli ngqo kwinqanaba loqhagamshelo lwe-IP kumncedisi. Ke, iFail2Ban inokuzalisekisa ngokugqibeleleyo ukhuseleko olwakhiwe kusetyenziswa iDoSFilter. Makhe sifumanise ukuba ungaqhagamshela njani iFail2Ban kunye neZimbra OSE kwaye ngokwenjenjalo wandise ukhuseleko lwesiseko se-IT seshishini lakho.

Njengaso nasiphi na esinye isicelo sodidi lweshishini, iZimbra Collaboration Suite Open-Source Edition igcina iinkcukacha zomsebenzi wayo. Uninzi lwazo lugcinwe kwifolda /opt/zimbra/log/ ngohlobo lweefayile. Nazi nje ezimbalwa zazo:

  • mailbox.log — Iilog zenkonzo yeposi
  • audit.log - logs zokuqinisekisa
  • clamd.log - iilog zokusebenza ze-antivirus
  • freshclam.log - iinkuni zohlaziyo lwe-antivirus
  • convertd.log — iilog zesiguquli sezincamatheliso
  • zimbrastats.csv - iilog zokusebenza zeseva

Iilog zeZimbra zinokufumaneka kwifayile /var/log/zimbra.log, apho iilogi zePostfix kunye neZimbra ngokwayo zigcinwa.

Ukuze sikhusele inkqubo yethu kumkhosi okhohlakeleyo, siya kubeka iliso ibhokisi yemeyile.log, uphicotho.log и zimbra.log.

Ukuze yonke into isebenze, kuyimfuneko ukuba iFail2Ban kunye neeptables zifakwe kwiseva yakho ngeZimbra OSE. Ukuba usebenzisa Ubuntu, ungakwenza oku usebenzisa imiyalelo dpkg -s fail2ban, ukuba usebenzisa i-CentOS, unokujonga oku usebenzisa imiyalelo yum uluhlu olufakiweyo fail2ban. Ukuba ngaba awunaFail2Ban efakiweyo, ukuyifaka akuyi kuba yingxaki, kuba le phakheji ifumaneka phantse kuzo zonke iindawo zokugcina ezisemgangathweni.

Nje ukuba ifakwe yonke isoftware eyimfuneko, ungaqala ukuseta iFail2Ban. Ukwenza oku kufuneka udale ifayile yoqwalaselo /etc/fail2ban/filter.d/zimbra.conf, apho sizakubhala khona amabinzana aqhelekileyo eZimbra OSE logs eziya kuhambelana neenzame zokungena ezingachanekanga kwaye zivuse iindlela zeFail2Ban. Nanku umzekelo wemixholo ye zimbra.conf eneseti yamagama aqhelekileyo ahambelana neemposiso ezahlukeneyo eziphoswa yiZimbra OSE xa iinzame zokuqinisekisa zisilela:

# Fail2Ban configuration file
 
[Definition]
failregex = [ip=<HOST>;] account - authentication failed for .* (no such account)$
                        [ip=<HOST>;] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=imap; error=authentication failed for .* invalid password;$
                        [oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
                        WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$

ignoreregex =

Nje ukuba iintetho eziqhelekileyo zeZimbra OSE ziqokelelwe, lixesha lokuba uqalise ukuhlela uqwalaselo lweFail2ban ngokwayo. Izicwangciso zesi sixhobo zibekwe kwifayile /etc/fail2ban/jail.conf. Nje ukuba kunokwenzeka, masenze ikopi yogcino lwayo ngokusebenzisa umyalelo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak. Emva koko, siya kunciphisa le fayile ibe malunga nale fomu ilandelayo:

# Fail2Ban configuration file
 
[DEFAULT]
ignoreip = 192.168.0.1/24
bantime = 600
findtime = 600
maxretry = 5
backend = auto
 
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=admin@company.ru, sender=fail2ban@company.ru]
logpath = /var/log/messages
maxretry = 5
 
[sasl-iptables]
enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=support@company.ru]
logpath = /var/log/zimbra.log
 
[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=support@ company.ru]
ignoreregex = for myuser from
logpath = /var/log/messages
 
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, dest=support@company.ru ]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
 
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=support@company.ru]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
 
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=support@company.ru]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5
 
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=support@company.ru]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5

Nangona lo mzekelo ungowowonke wonke, kusafuneka uchaze ezinye zeeparamitha onokufuna ukuzitshintsha xa ucwangcisa iFail2Ban ngokwakho:

  • Ungahoyi — usebenzisa le parameter ungakhankanya ip ethile okanye isubnet apho iFail2Ban ingenakukhangela iidilesi. Njengomthetho, inethiwekhi yangaphakathi yeshishini kunye nezinye iidilesi ezithembekileyo zongezwa kuluhlu lwabangahoywayo.
  • Bantime — Ixesha aza kuvalwa ngalo umenzi-bubi. Ikalwa ngemizuzwana. Ixabiso le-1 lithetha ukuvinjelwa okusisigxina.
  • I-Maxretry — Awona maxesha amaninzi enye idilesi ye-IP inokuzama ukufikelela kwiseva.
  • Thumela imeyile —Useto olukuvumela ukuba uzithumele ngokuzenzekelayo izaziso ze-imeyile xa iFail2Ban iqalisiwe.
  • Ixesha lokufumana -Useto olukuvumela ukuba usete ixesha lokuphumla emva koko idilesi ye-IP ingazama ukufikelela kumncedisi kwakhona emva kokuba ubuninzi bemizamo engaphumelelanga iphelile (ipharamitha ye-maxretry)

Emva kokugcina ifayile ngoseto lweFail2Ban, okushiyekileyo kukuqalisa kwakhona olu ncedo usebenzisa umyalelo inkonzo fail2ban iqala kwakhona. Emva kokuqalisa kwakhona, iilogi eziphambili zeZimbra ziya kuqala ukubeka iliso rhoqo ukuthotyelwa kwentetho eqhelekileyo. Enkosi koku, umlawuli uya kuba nakho ukuphelisa nakuphi na ukubakho komhlaseli ukuba angagqobhozi kuphela kwiibhokisi zeposi zeZimbra Collaboration Suite Open-Source Edition, kodwa nokukhusela zonke iinkonzo ezisebenza ngaphakathi kweZimbra OSE, kwaye uqaphele naziphi na iinzame zokufumana ukufikelela okungagunyaziswanga. .

Kuyo yonke imibuzo enxulumene neZextras Suite, ungaqhagamshelana nommeli weZextras u-Ekaterina Triandafilidi nge-imeyile katerina@zextras.com

umthombo: www.habr.com

Yongeza izimvo