Eae Galera,
Nesse artigo vou ensinar como configurar o Fail2ban no Centos6 para proteger os principais serviços do Zimbra
O Fail2Ban tem como principal objetivo bloquear os ataques de Brute Force contra o nosso servidor.
rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm
yum -y install iptables gamin fail2ban
nano /etc/fail2ban/jail.conf
# ===============================================================================================================
# Fail2Ban Arquivo de Configuração
# Por Diego Luisi @diegoluisi
# https://diegoluisi.wordpress.com
[DEFAULT]
ignoreip = 127.0.0.1 192.168.X.0/24 192.168.XX.0/24
bantime = 600
findtime = 600
maxretry = 3
backend = auto
# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]
[ssh-iptables]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
action = iptables-allports[name=SSH-iptables]
sendmail[name=SSH, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
maxretry = 3
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-account]
sendmail[name=FAIL2Ban, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
sendmail[name=Zimbra-audit, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
logpath = /var/log/maillog
findtime = 604800
bantime = 600
maxretry = 5
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port=smtp, protocol=tcp]
sendmail[name=Postfix, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
logpath = /var/log/maillog
bantime = 600
maxretry = 5
[sasl-iptables]
enabled = true
filter = sasl
action = iptables-allports[name=sasl]
sendmail[name=SASL, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
logpath = /var/log/maillog
bantime = 600
[zimbra-webmail]
enabled = true
filter = zimbra
action = iptables[name=Zimbra-account, port=https, protocol=tcp]
iptables[name=Zimbra-account, port=http, protocol=tcp]
sendmail[name=Zimbra-webmail, dest=diego.efuture@gmail.com; dluisi@secureti.com.br]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 3
# ===============================================================================================================
nano /etc/fail2ban/filter.d/zimbra.conf
# ===============================================================================================================
# Fail2Ban configuration file
#
# Author:
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=;\] account – authentication failed for .* \(no such account\)$
\[ip=;\] security – cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=;.* security – cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=;.* SoapEngine – handler exception: authentication failed for .*, account not found$
WARN .*;ip=;ua=ZimbraWebClient .* security – cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[\]: 550 5.1.1 .*: Recipient address rejected:
WARN \[.*\] \[name=.*;ip=;ua=.*;\] security – cmd=Auth; account=.*; protocol=.*; error=.*, invalid password;
# .*\[ip=;\] .* – authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# ===============================================================================================================
nano /etc/fail2ban/filter.d/zimbra-webmail.conf
# ===============================================================================================================
# Fail2Ban configuration file
#
# Author: Giorgio Salluzzo
#
[Definition]
# Option: failregex
# Notes.: regex to match PASSWORD FAILED for Zimbra webmail/admin authentication
# Values: TEXT
#
# FIRST regex for webmail, SECOND for webadmin
#
failregex = WARN \[.*\] \[name=.*;ip=;ua=.*;\] security – cmd=Auth; account=.*; protocol=.*; error=.*, invalid password;
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# ===============================================================================================================
# ===============================================================================================================
nano /etc/fail2ban/action.d/sendmail.conf
trocar /usr/bin/sendmail to /opt/zimbra/postfix/sbin/sendmail
chkconfig fail2ban on
service fail2ban restart
#fim!
-22.127595
-51.385616