Zimbra 通过 Fail2ban 加强防护
作为邮件系统,经常会有恶意扫描器、密码暴力破解等针对邮箱系统的恶意请求,导致邮箱负载增加,并且存在一定安全隐患。
下面介绍通过 Fail2ban 对 Zimbra 的日志进行分析,并自动屏蔽恶意访问者,从而保护我们的邮箱系统的安全。
黑名单过滤规则(/etc/fail2ban/filter.d/zimbra-blacklist.conf):
[Definition] failregex = from \[<HOST>\]:\d+: EHLO ylmf-pc\\r\\n #ignoreregex =
频繁恶意访问的过滤规则(/etc/fail2ban/filter.d/zimbra-dos.conf):
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\]$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 550 5\.1\.1 .*$
#ignoreregex =
邮箱密码破解的过滤规则(/etc/fail2ban/filter.d/zimbra-mailbox.conf):
[Definition] failregex = INFO .*ip=<HOST>;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$ #ignoreregex =
设置并启用对 Zimbra 的防护(/etc/fail2ban/jail.d/zimbra.conf):
[zimbra-postfix] enabled = true filter = postfix[mode=more] port = 25,465,587 logpath = /var/log/zimbra.log bantime = 600 maxretry = 5 [zimbra-sasl] enabled = true filter = postfix[mode=auth] port = 25,465,587,110,143,995,993 logpath = /var/log/zimbra.log bantime = 600 maxretry = 5 [zimbra-sasl-1d] enabled = true filter = zimbra-sasl port = 25,465,587,110,143,995,993 logpath = /var/log/zimbra.log bantime = 604800 findtime = 86400 maxretry = 30 [zimbra-mailbox] enabled = true filter = zimbra-mailbox port = 25,465,587,110,143,995,993,80,443 logpath = /opt/zimbra/log/mailbox.log bantime = 600 maxretry = 5 [zimbra-dos] enabled = true filter = zimbra-dos port = 25,465,587 logpath = /var/log/zimbra.log bantime = 600 maxretry = 10 [zimbra-blacklist] enabled = true filter = zimbra-blacklist port = 25,465,587,110,143,995,993,80,443 logpath = /var/log/zimbra.log bantime = 600 maxretry = 1
最后执行 fail2ban-client reload 加载所有配置即可。
验证规则匹配:
fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/postfix-sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf
原文链接地址:http://blog.exsvc.cn/article/fail2ban-protect-zimbra.html
转载请注明:转载自 易科博客 ,谢谢!