CentOS + Fail2Ban + Zimbra
Eae Galera,
Nesse artigo vou ensinar como configurar o Fail2ban no Centos6 para proteger os principais serviços do Zimbra
O Fail2Ban tem como principal objetivo bloquear os ataques de Brute Force contra o nosso servidor.
rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm
yum -y install iptables gamin fail2ban
nano /etc/fail2ban/jail.conf
===============================================================================================================
Fail2Ban Arquivo de Configuração
Por Diego Luisi @diegoluisi
http://diegoluisi.wordpress.com
[DEFAULT]
ignoreip = 127.0.0.1 192.168.X.0/24 192.168.XX.0/24
bantime = 600
findtime = 600
maxretry = 3
backend = auto
Default action to take: ban only
action = iptables[name=%(name)s, port=%(port)s]
[ssh-iptables]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
action = iptables-allports[name=SSH-iptables]
sendmail[name=SSH, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
maxretry = 3
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-account]
sendmail[name=FAIL2Ban, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
sendmail[name=Zimbra-audit, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
logpath = /var/log/maillog
findtime = 604800
bantime = 600
maxretry = 5
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port=smtp, protocol=tcp]
sendmail[name=Postfix, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
logpath = /var/log/maillog
bantime = 600
maxretry = 5
[sasl-iptables]
enabled = true
filter = sasl
action = iptables-allports[name=sasl]
sendmail[name=SASL, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
logpath = /var/log/maillog
bantime = 600
[zimbra-webmail]
enabled = true
filter = zimbra
action = iptables[name=Zimbra-account, port=https, protocol=tcp]
iptables[name=Zimbra-account, port=http, protocol=tcp]
sendmail[name=Zimbra-webmail, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 3
===============================================================================================================
nano /etc/fail2ban/filter.d/zimbra.conf
===============================================================================================================
Fail2Ban configuration file
#
Author:
#
$Revision: 1 $
#
[Definition]
Option: failregex
Notes.: regex to match the password failures messages in the logfile. The
host must be matched by a group named "host". The tag "" can
be used for standard IP/hostname matching and is only an alias for
(?:::f{4,6}:)?(?P[w-.^_]+)
Values: TEXT
#
failregex = [ip=;] account – authentication failed for . (no such account)$
[ip=;] security – cmd=Auth; . error=authentication failed for ., invalid password;$
;oip=;. security – cmd=Auth; . protocol=soap; error=authentication failed for . invalid password;$
[oip=;. SoapEngine – handler exception: authentication failed for ., account not found$
WARN .;ip=;ua=ZimbraWebClient . security – cmd=AdminAuth; . error=authentication failed for .;$
NOQUEUE: reject: RCPT from .[]: 550 5.1.1 .: Recipient address rejected:
WARN [.] [name=.;ip=;ua=.;] security – cmd=Auth; account=.; protocol=.; error=., invalid password;
.[ip=;] . – authentication failed for .* (invalid password)
#
Option: ignoreregex
Notes.: regex to ignore. If this regex matches, the line is ignored.
Values: TEXT
#
ignoreregex =
===============================================================================================================
nano /etc/fail2ban/filter.d/zimbra-webmail.conf
===============================================================================================================
Fail2Ban configuration file
#
Author: Giorgio Salluzzo
#
[Definition]
Option: failregex
Notes.: regex to match PASSWORD FAILED for Zimbra webmail/admin authentication
Values: TEXT
#
FIRST regex for webmail, SECOND for webadmin
#
failregex = WARN [.] [name=.;ip=;ua=.;] security – cmd=Auth; account=.; protocol=.; error=., invalid password;
Option: ignoreregex
Notes.: regex to ignore. If this regex matches, the line is ignored.
Values: TEXT
#
ignoreregex =
===============================================================================================================
===============================================================================================================
nano /etc/fail2ban/action.d/sendmail.conf
trocar /usr/bin/sendmail to /opt/zimbra/postfix/sbin/sendmail
chkconfig fail2ban on
service fail2ban restart
Hola Diego, estoy siguiendo tus instrucciones y quedé con una duda en la última entrada ya que action.d es un directorio.
Gracias y saludos!
Ola, obrigado por visitar o meu blog
o Arquivo correto é
nano /etc/fail2ban/action.d/sendmail.conf
Vou corrigir no tutorial,