作为邮件系统,经常会有恶意扫描器、密码暴力破解等针对邮箱系统的恶意请求,导致邮箱负载增加,并且存在一定安全隐患。

下面介绍通过 Fail2ban 对 Zimbra 的日志进行分析,并自动屏蔽恶意访问者,从而保护我们的邮箱系统的安全。

黑名单过滤规则(/etc/fail2ban/filter.d/zimbra-blacklist.conf):

[Definition]
failregex =    from \[<HOST>\]:\d+: EHLO ylmf-pc\\r\\n

#ignoreregex =

频繁恶意访问的过滤规则(/etc/fail2ban/filter.d/zimbra-dos.conf):

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex =    ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\]$
                        ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 550 5\.1\.1 .*$

#ignoreregex =

邮箱密码破解的过滤规则(/etc/fail2ban/filter.d/zimbra-mailbox.conf):

[Definition]
failregex =    INFO .*ip=<HOST>;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$

#ignoreregex =

设置并启用对 Zimbra 的防护(/etc/fail2ban/jail.d/zimbra.conf):

[zimbra-postfix]
enabled = true
filter = postfix[mode=more]
port     = 25,465,587
logpath  = /var/log/zimbra.log
bantime = 600
maxretry = 5

[zimbra-sasl]
enabled = true
filter = postfix[mode=auth]
port     = 25,465,587,110,143,995,993
logpath  = /var/log/zimbra.log
bantime = 600
maxretry = 5

[zimbra-sasl-1d]
enabled = true
filter = zimbra-sasl
port     = 25,465,587,110,143,995,993
logpath  = /var/log/zimbra.log
bantime = 604800
findtime = 86400
maxretry = 30

[zimbra-mailbox]
enabled = true
filter = zimbra-mailbox
port     = 25,465,587,110,143,995,993,80,443
logpath  = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

[zimbra-dos]
enabled = true
filter = zimbra-dos
port     = 25,465,587
logpath  = /var/log/zimbra.log
bantime = 600
maxretry = 10

[zimbra-blacklist]
enabled = true
filter = zimbra-blacklist
port     = 25,465,587,110,143,995,993,80,443
logpath  = /var/log/zimbra.log
bantime = 600
maxretry = 1

最后执行 fail2ban-client reload 加载所有配置即可。

验证规则匹配:
fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/postfix-sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf


原文链接地址:http://blog.exsvc.cn/article/fail2ban-protect-zimbra.html
转载请注明:转载自 易科博客 ,谢谢!

发表评论

电子邮件地址不会被公开。 必填项已用*标注