31/5/2015

BloquerlesattaquesparforcebrutesurZimbra|LeblogdeNetworkStudio

Publile13juillet2011par
David

BLOQUER LES ATTAQUES PAR FORCE BRUTE SUR ZIMBRA

Cebilletestuncut/pastedunpostsurleforumUS.
Toutestbassurlutilisationdefail2ban,aveclesbonsfichiersdeconfiguration
Lejail.conf:

[zimbraaccount]

enabled=true
filter=zimbra
action=iptablesallports[name=Zimbraaccount]
sendmail[name=Zimbraaccount,dest=it@enabletv.com]
logpath=/opt/zimbra/log/mailbox.log
bantime=1
maxretry=5

[zimbraaudit]

enabled=true
filter=zimbra
action=iptablesallports[name=Zimbraaudit]
sendmail[name=Zimbraaudit,dest=it@enabletv.com]
logpath=/opt/zimbra/log/audit.log
bantime=1
maxretry=5

[zimbrarecipient]

enabled=true
filter=zimbra
http://blog.networkstudio.fr/2011/07/13/bloquerlesattaquesparforcebrute/

1/3

31/5/2015

BloquerlesattaquesparforcebrutesurZimbra|LeblogdeNetworkStudio

filter=zimbra

action=iptablesallports[name=Zimbrarecipient]
sendmail[name=Zimbrarecipient,dest=it@enabletv.com]
logpath=/var/log/maillog
findtime=604800
bantime=172800
maxretry=5

[postfix]

enabled=true
filter=postfix
action=iptablesmultiport[name=Postfix,port=smtp,protocol=tcp]
sendmailbuffered[name=Postfix,dest=it@enabletv.com]
logpath=/var/log/maillog
bantime=172800
maxretry=5

Lefiltre(/etc/fail2ban/filter.d/zimbra.conf):

#Fail2Banconfigurationfile
#
#Author:
#
#$Revision:1$
#

[Definition]

#Option:failregex
#Notes.:regextomatchthepasswordfailuresmessagesinthelogfile.The
#hostmustbematchedbyagroupnamedhost.Thetagcan
#beusedforstandardIP/hostnamematchingandisonlyanaliasfor
#(?:::f{4,6}:)?(?P[w.^_]+)
#Values:TEXT
#
failregex=[ip=;]accountauthenticationfailedfor.*(nosuchaccount)$

[ip=;]securitycmd=Auth;.*error=authenticationfailedfor.*,invalidpass

;oip=;.*securitycmd=Auth;.*protocol=soap;error=authenticationfailedfor

[oip=;.*SoapEnginehandlerexception:authenticationfailedfor.*,account

WARN.*;ip=;ua=ZimbraWebClient.*securitycmd=AdminAuth;.*error=authentica

http://blog.networkstudio.fr/2011/07/13/bloquerlesattaquesparforcebrute/

2/3

31/5/2015

BloquerlesattaquesparforcebrutesurZimbra|LeblogdeNetworkStudio

WARN.*;ip=;ua=ZimbraWebClient.*securitycmd=AdminAuth;.*error=authentica
NOQUEUE:reject:RCPTfrom.*[]:5505.1.1.*:Recipientaddressrejected:

#.*[ip=;].*authenticationfailedfor.*(invalidpassword)
#
#Option:ignoreregex
#Notes.:regextoignore.Ifthisregexmatches,thelineisignored.
#Values:TEXT
#
ignoreregex=

Bienentendu,ilfautconfigurerlerestedefail2bancommevouslesouhaitez(dureduban,
etc)etnepasoublierquevouspouvezbloquerunvraiutilisateurquisetrompedemotde
passe
Sicestlecas,ilfautregarderquellergledanslefirewallcorrespondcetutilisateur:

[root@mailfail2ban]#iptablesL
ChainINPUT(policyACCEPT)
targetprotoptsourcedestination
fail2banZimbraaudittcpanywhereanywhere

Chainfail2banZimbraaudit(1references)
targetprotoptsourcedestination
DROPallbad.spammer.comanywhere
DROPalllegitimate.user.comanywhere

Etlelibrer:

iptablesDfail2banZimbraaudit2

CetteentreatpubliedansZimbra.Vouspouvezlamettreenfavorisaveccepermalien.

NetworkStudio2015
UneralisationNetworkStudiofirementpropulseparWordpress

http://blog.networkstudio.fr/2011/07/13/bloquerlesattaquesparforcebrute/

3/3