Fail2Ban para Zimbra

Daniel Eugenin M. -

Reglas Fail2Ban para Zimbra

 

La diferencia que posee fail2ban contra las políticas de seguridad de Zimbra, es que fail2ban levanta una regla de iptables para la IP de origen, bloqueando todo acceso al servidor, en cambio las políticas de seguridad de Zimbra bloquean la cuenta en particular que se estaba intentando vulnerar. Así fail2ban viene a complementar las políticas de seguridad de Zimbra, bloqueando toda la IP de origen, así que, cuando se aplica una de estas reglas, no podrá seguir intentando vulnerar otra cuenta.

 

Con respecto a la instalación y configuración inicial de fail2ban, diríjase al siguiente artículo:

https://itlinux.zendesk.com/entries/21766198-fail2ban-para-proteccion-contra-intentos-de-conexion

 

Ahora, para agregar algunas reglas para Zimbra, debe realizar lo siguiente:

 

1) Crear el archivo /etc/fail2ban/filter.d/zimbra.conf:

# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:
# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

 

2) Modificar el filtro de SASL: /etc/fail2ban/filter.d/sasl.conf

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
###failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:
A-Za-z0-9+/]*={0,2})?$
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed\: authentication failure
 
#Jul 31 15:05:45 zimbratest postfix/smtpd[24158]: warning: host.dominio.cl[X.X.X.X]: SASL PLAIN authentication failed: authentication failure
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

 

3) Agregar al archivo: /etc/fail2ban/jail.local:

[DEFAULT]
ignoreip = 127.0.0.1 192.168.0.50
bantime = 600
findtime = 600
maxretry = 3
backend = auto
# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]

[ssh-iptables]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
action = iptables-allports[name=SSH-iptables]
maxretry = 3

[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-account]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5

[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-recipient]
logpath = /var/log/maillog
findtime = 604800
bantime = 600
maxretry = 5

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port=smtp, protocol=tcp]
logpath = /var/log/maillog
bantime = 600
maxretry = 5

[sasl-iptables]
enabled = true
filter = sasl
action = iptables-allports[name=sasl]
logpath = /var/log/maillog
bantime = 600

 

4) Para bloquear intentos de acceso por medio de Webmail (/etc/fail2ban/filter.d/zimbra.conf)

 

failregex = WARN  \[.*\] \[name=.*;ip=<HOST>;ua=.*;\] security - cmd=Auth; account=.*; protocol=.*; error=.*, invalid password;

 

5) Y en el archivo de configuración (/etc/fail2ban/jail.conf)

 

[zimbra-webmail]
enabled = true
filter = zimbra
action = iptables[name=Zimbra-account, port=http, protocol=tcp]
mail-whois[name=Zimbra-account, dest=user@itlinux.cl, sender=fail2ban@example.com]
#logpath = /opt/zimbra/log/mailbox.log
logpath = /opt/zimbra/log/audit.log
maxretry = 1

 

4) Reiniciar fail2ban:

service fail2ban restart
¿Tiene más preguntas? Enviar una solicitud

0 Comentarios

Inicie sesión para dejar un comentario.
Tecnología de Zendesk