使用fail2ban加强Zimbra邮件服务器安全
因为Zimbra邮件服务器是在公网上,因此每天都要遭受来自全网不怀好意的恶意扫描,可以从zimbra的每日报告里看到,如下:
Warnings -------- smtpd (total: 24040) 13828 unknown[45.150.206.118]: SASL LOGIN authentication failed: auth... 3017 SASL authentication failure: Password verification failed 1804 unknown[78.128.113.119]: SASL PLAIN authentication failed: auth... 1804 hostname ip-113-119.4vendeta.com does not resolve to address 78... 543 unknown[212.70.149.69]: SASL LOGIN authentication failed: authe... 460 unknown[141.98.80.79]: SASL LOGIN authentication failed: authen... 165 hostname mtgplace.com does not resolve to address 66.77.114.36 143 hostname undefined.hostname.localhost does not resolve to addre... 120 hostname 148.29.54.119.adsl-pool.jlccptt.net.cn does not resolv... 53 hostname newsletters.carnetec.com.br does not resolve to addres...
其中绝大部分都是想试图暴力破解密码,虽然密码强度设置的够强,它也恶意破解不了,但是一直这样恶意的扫描也会对服务器资源造成浪费,因此需要对其进行限制。
下面就介绍如何通过fail2ban对Zimbra进行安全保护:
环境:阿里云CentOS7
一、安装 firewalld
1. 首先保证系统上有 firewalld ,fail2ban需要调用firewalld进行IP屏蔽, 阿里云默认没有,是直接可以通过安全组来管理端口的,因此需要在系统上安装。
yum install firewalld
2. 启动 firewalld
systemctl start firewalld
3. 开放Zimbra相关的端口
包括:22、80、443、25、110、143、465、995、993、587、7025、7071、8443
命令如:
firewall-cmd --zone=public --add-port=25/tcp --permanent
4. 重新加载配置生效
firewall-cmd -–reload
二、安装fail2ban
1. 安装fail2ban
yum install fail2ban
安装好后配置文件都在 /etc/fail2ban/ 目录下。
2. 启动fail2ban
systemctl start fail2ban
3. 配置过滤规则:以下文件都没有,需新建。
3.1 黑名单过滤规则(/etc/fail2ban/filter.d/zimbra-blacklist.conf):
[Definition] failregex = from \[<HOST>\]:\d+: EHLO ylmf-pc\\r\\n #ignoreregex =
3.2 频繁恶意访问的过滤规则(/etc/fail2ban/filter.d/zimbra-dos.conf):
[INCLUDES] before = common.conf [Definition] _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] failregex = ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\]$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 550 5\.1\.1 .*$ #ignoreregex =
3.3 邮箱密码破解的过滤规则(/etc/fail2ban/filter.d/zimbra-mailbox.conf):
[Definition] failregex = INFO .*ip=<HOST>;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$ #ignoreregex =
3.4 设置并启用对 Zimbra 的防护(/etc/fail2ban/jail.d/zimbra.conf):
[zimbra-postfix] enabled = true filter = postfix[mode=more] port = 25,465,587 logpath = /var/log/zimbra.log bantime = 600 maxretry = 5 [zimbra-sasl] enabled = true filter = postfix[mode=auth] port = 25,465,587,110,143,995,993 logpath = /var/log/zimbra.log bantime = 600 maxretry = 5 [zimbra-sasl-1d] enabled = true filter = zimbra-sasl port = 25,465,587,110,143,995,993 logpath = /var/log/zimbra.log bantime = 604800 findtime = 86400 maxretry = 30 [zimbra-mailbox] enabled = true filter = zimbra-mailbox port = 25,465,587,110,143,995,993,80,443 logpath = /opt/zimbra/log/mailbox.log bantime = 600 maxretry = 5 [zimbra-dos] enabled = true filter = zimbra-dos port = 25,465,587 logpath = /var/log/zimbra.log bantime = 600 maxretry = 10 [zimbra-blacklist] enabled = true filter = zimbra-blacklist port = 25,465,587,110,143,995,993,80,443 logpath = /var/log/zimbra.log bantime = 600 maxretry = 1
3.5 重新加载所有配置生效
fail2ban-client reload
3.6 验证规则匹配
fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/zimbra-blacklist.conf fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/zimbra-dos.conf fail2ban-regex /opt/zimbra/log/mailbox.log /etc/fail2ban/filter.d/zimbra-mailbox.conf
三、查看状态
1. 查看fail2ban 日志:
tail -f /var/log/fail2ban.log
2. 查看被禁止的IP列表:
新建脚本文件 /usr/bin/fail2ban-statusall.sh 内容如下:
#!/bin/bash JAILS=`fail2ban-client status | grep "Jail list" | sed -e 's/^[^:]\+:[ \t]\+//' | sed 's/,//g'` for JAIL in $JAILS do fail2ban-client status $JAIL echo '====================================' done
添加执行权限:
chmod +x fail2ban-statusall.sh
执行 fail2ban-statusall.sh 或 /usr/bin/fail2ban-statusall.sh 即可查看禁止IP状态。
3. 查看firewalld防火墙状态:
firewall-cmd --list-all
本文fail2ban部分参考自:
http://blog.exsvc.cn/article/fail2ban-protect-zimbra.html
http://blog.exsvc.cn/article/fail2ban-status-all.html
共有 0 条评论