BlogNetwork
Studio

Bloquer les attaques par force brute sur Zimbra


Ce billet est un cut/paste d’un post sur le forum US.

Tout est basé sur l’utilisation de fail2ban, avec les bons fichiers de configuration…

Le jail.conf :

[zimbra-account]

enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-account]
sendmail[name=Zimbra-account, dest=it@enabletv.com]
logpath = /opt/zimbra/log/mailbox.log
bantime = -1
maxretry = 5

[zimbra-audit]

enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
sendmail[name=Zimbra-audit, dest=it@enabletv.com]
logpath = /opt/zimbra/log/audit.log
bantime = -1
maxretry = 5

[zimbra-recipient]

enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=it@enabletv.com]
logpath = /var/log/maillog
findtime = 604800
bantime = 172800
maxretry = 5

[postfix]

enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=it@enabletv.com]
logpath = /var/log/maillog
bantime = 172800
maxretry = 5

Le filtre (/etc/fail2ban/filter.d/zimbra.conf) :

# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named « host ». The tag «  » can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[w-.^_]+)
# Values: TEXT
#
failregex = [ip=;] account – authentication failed for .* (no such account)$
[ip=;] security – cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=;.* security – cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
[oip=;.* SoapEngine – handler exception: authentication failed for .*, account not found$
WARN .*;ip=;ua=ZimbraWebClient .* security – cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*[]: 550 5.1.1 .*: Recipient address rejected:

# .*[ip=;] .* – authentication failed for .* (invalid password)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Bien entendu, il faut configurer le reste de fail2ban comme vous le souhaitez (durée du ban, etc) et ne pas oublier que vous pouvez bloquer un vrai utilisateur qui se trompe de mot de passe…

Si c’est le cas, il faut regarder quelle règle dans le firewall correspond à cet utilisateur :

[root@mail fail2ban]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-Zimbra-audit tcp — anywhere anywhere

Chain fail2ban-Zimbra-audit (1 references)
target prot opt source destination
DROP all — bad.spammer.com anywhere
DROP all — legitimate.user.com anywhere

Et le libérer :

iptables -D fail2ban-Zimbra-audit 2