首页 » 邮件服务器 » Zimbra » 正文

使用fail2ban加强Zimbra邮件服务器安全

因为Zimbra邮件服务器是在公网上,因此每天都要遭受来自全网不怀好意的恶意扫描,可以从zimbra的每日报告里看到,如下:

Warnings
--------
  smtpd (total: 24040)
     13828   unknown[45.150.206.118]: SASL LOGIN authentication failed: auth...
      3017   SASL authentication failure: Password verification failed
      1804   unknown[78.128.113.119]: SASL PLAIN authentication failed: auth...
      1804   hostname ip-113-119.4vendeta.com does not resolve to address 78...
       543   unknown[212.70.149.69]: SASL LOGIN authentication failed: authe...
       460   unknown[141.98.80.79]: SASL LOGIN authentication failed: authen...
       165   hostname mtgplace.com does not resolve to address 66.77.114.36
       143   hostname undefined.hostname.localhost does not resolve to addre...
       120   hostname 148.29.54.119.adsl-pool.jlccptt.net.cn does not resolv...
        53   hostname newsletters.carnetec.com.br does not resolve to addres...

其中绝大部分都是想试图暴力破解密码,虽然密码强度设置的够强,它也恶意破解不了,但是一直这样恶意的扫描也会对服务器资源造成浪费,因此需要对其进行限制。

 

下面就介绍如何通过fail2ban对Zimbra进行安全保护:

环境:阿里云CnetOS7

 

一、安装 firewalld

1. 首先保证系统上有 firewalld ,fail2ban需要调用firewalld进行IP屏蔽, 阿里云默认没有,是直接可以通过安全组来管理端口的,因此需要在系统上安装。

yum install firewalld

2. 启动 firewalld

systemctl start firewalld

3. 开放Zimbra相关的端口

    包括:22、80、443、25、110、143、465、995、993、587、7025、7071、8443

命令如:

firewall-cmd --zone=public --add-port=25/tcp --permanent

4. 重新加载配置生效

firewall-cmd -–reload

 

二、安装fail2ban

1. 安装fail2ban

yum install fail2ban

安装好后配置文件都在 /etc/fail2ban/ 目录下。

2. 启动fail2ban

systemctl start fail2ban

3. 配置过滤规则:以下文件都没有,需新建。

3.1 黑名单过滤规则(/etc/fail2ban/filter.d/zimbra-blacklist.conf):

[Definition]
failregex =    from \[<HOST>\]:\d+: EHLO ylmf-pc\\r\\n

#ignoreregex =

3.2 频繁恶意访问的过滤规则(/etc/fail2ban/filter.d/zimbra-dos.conf):

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex =    ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\]$
                        ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 550 5\.1\.1 .*$

#ignoreregex =

3.3 邮箱密码破解的过滤规则(/etc/fail2ban/filter.d/zimbra-mailbox.conf):

[Definition]
failregex =    INFO .*ip=<HOST>;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$

#ignoreregex =

3.4 设置并启用对 Zimbra 的防护(/etc/fail2ban/jail.d/zimbra.conf):

[zimbra-postfix]
enabled = true
filter = postfix[mode=more]
port     = 25,465,587
logpath  = /var/log/zimbra.log
bantime = 600
maxretry = 5

[zimbra-sasl]
enabled = true
filter = postfix[mode=auth]
port     = 25,465,587,110,143,995,993
logpath  = /var/log/zimbra.log
bantime = 600
maxretry = 5

[zimbra-sasl-1d]
enabled = true
filter = zimbra-sasl
port     = 25,465,587,110,143,995,993
logpath  = /var/log/zimbra.log
bantime = 604800
findtime = 86400
maxretry = 30

[zimbra-mailbox]
enabled = true
filter = zimbra-mailbox
port     = 25,465,587,110,143,995,993,80,443
logpath  = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

[zimbra-dos]
enabled = true
filter = zimbra-dos
port     = 25,465,587
logpath  = /var/log/zimbra.log
bantime = 600
maxretry = 10

[zimbra-blacklist]
enabled = true
filter = zimbra-blacklist
port     = 25,465,587,110,143,995,993,80,443
logpath  = /var/log/zimbra.log
bantime = 600
maxretry = 1

3.5  重新加载所有配置生效

fail2ban-client reload

3.6 验证规则匹配

fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/zimbra-blacklist.conf
fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/zimbra-dos.conf
fail2ban-regex /opt/zimbra/log/mailbox.log /etc/fail2ban/filter.d/zimbra-mailbox.conf

 

三、查看状态

1. 查看fail2ban 日志:

tail -f /var/log/fail2ban.log

2. 查看被禁止的IP列表:

    新建脚本文件 /usr/bin/fail2ban-statusall.sh 内容如下:

#!/bin/bash

JAILS=`fail2ban-client status | grep "Jail list" | sed -e 's/^[^:]\+:[ \t]\+//' | sed 's/,//g'`
for JAIL in $JAILS
do
  fail2ban-client status $JAIL
  echo '===================================='
done

    添加执行权限:

chmod +x fail2ban-statusall.sh

    执行 fail2ban-statusall.sh 或 /usr/bin/fail2ban-statusall.sh 即可查看禁止IP状态。

3. 查看firewalld防火墙状态:

firewall-cmd --list-all

 

 

 

本文fail2ban部分参考自:

http://blog.exsvc.cn/article/fail2ban-protect-zimbra.html

http://blog.exsvc.cn/article/fail2ban-status-all.html

发表评论

验证码加载中....