Beruflich Dokumente
Kultur Dokumente
BloquerlesattaquesparforcebrutesurZimbra|LeblogdeNetworkStudio
Publile13juillet2011par
David
Cebilletestuncut/pastedunpostsurleforumUS.
Toutestbassurlutilisationdefail2ban,aveclesbonsfichiersdeconfiguration
Lejail.conf:
[zimbraaccount]
enabled=true
filter=zimbra
action=iptablesallports[name=Zimbraaccount]
sendmail[name=Zimbraaccount,dest=it@enabletv.com]
logpath=/opt/zimbra/log/mailbox.log
bantime=1
maxretry=5
[zimbraaudit]
enabled=true
filter=zimbra
action=iptablesallports[name=Zimbraaudit]
sendmail[name=Zimbraaudit,dest=it@enabletv.com]
logpath=/opt/zimbra/log/audit.log
bantime=1
maxretry=5
[zimbrarecipient]
enabled=true
filter=zimbra
http://blog.networkstudio.fr/2011/07/13/bloquerlesattaquesparforcebrute/
1/3
31/5/2015
BloquerlesattaquesparforcebrutesurZimbra|LeblogdeNetworkStudio
filter=zimbra
action=iptablesallports[name=Zimbrarecipient]
sendmail[name=Zimbrarecipient,dest=it@enabletv.com]
logpath=/var/log/maillog
findtime=604800
bantime=172800
maxretry=5
[postfix]
enabled=true
filter=postfix
action=iptablesmultiport[name=Postfix,port=smtp,protocol=tcp]
sendmailbuffered[name=Postfix,dest=it@enabletv.com]
logpath=/var/log/maillog
bantime=172800
maxretry=5
Lefiltre(/etc/fail2ban/filter.d/zimbra.conf):
#Fail2Banconfigurationfile
#
#Author:
#
#$Revision:1$
#
[Definition]
#Option:failregex
#Notes.:regextomatchthepasswordfailuresmessagesinthelogfile.The
#hostmustbematchedbyagroupnamedhost.Thetagcan
#beusedforstandardIP/hostnamematchingandisonlyanaliasfor
#(?:::f{4,6}:)?(?P[w.^_]+)
#Values:TEXT
#
failregex=[ip=;]accountauthenticationfailedfor.*(nosuchaccount)$
[ip=;]securitycmd=Auth;.*error=authenticationfailedfor.*,invalidpass
;oip=;.*securitycmd=Auth;.*protocol=soap;error=authenticationfailedfor
[oip=;.*SoapEnginehandlerexception:authenticationfailedfor.*,account
WARN.*;ip=;ua=ZimbraWebClient.*securitycmd=AdminAuth;.*error=authentica
http://blog.networkstudio.fr/2011/07/13/bloquerlesattaquesparforcebrute/
2/3
31/5/2015
BloquerlesattaquesparforcebrutesurZimbra|LeblogdeNetworkStudio
WARN.*;ip=;ua=ZimbraWebClient.*securitycmd=AdminAuth;.*error=authentica
NOQUEUE:reject:RCPTfrom.*[]:5505.1.1.*:Recipientaddressrejected:
#.*[ip=;].*authenticationfailedfor.*(invalidpassword)
#
#Option:ignoreregex
#Notes.:regextoignore.Ifthisregexmatches,thelineisignored.
#Values:TEXT
#
ignoreregex=
Bienentendu,ilfautconfigurerlerestedefail2bancommevouslesouhaitez(dureduban,
etc)etnepasoublierquevouspouvezbloquerunvraiutilisateurquisetrompedemotde
passe
Sicestlecas,ilfautregarderquellergledanslefirewallcorrespondcetutilisateur:
[root@mailfail2ban]#iptablesL
ChainINPUT(policyACCEPT)
targetprotoptsourcedestination
fail2banZimbraaudittcpanywhereanywhere
Chainfail2banZimbraaudit(1references)
targetprotoptsourcedestination
DROPallbad.spammer.comanywhere
DROPalllegitimate.user.comanywhere
Etlelibrer:
iptablesDfail2banZimbraaudit2
CetteentreatpubliedansZimbra.Vouspouvezlamettreenfavorisaveccepermalien.
NetworkStudio2015
UneralisationNetworkStudiofirementpropulseparWordpress
http://blog.networkstudio.fr/2011/07/13/bloquerlesattaquesparforcebrute/
3/3