« Mail/MTA/Zimbra » : différence entre les versions
Aller à la navigation
Aller à la recherche
Aucun résumé des modifications |
Aucun résumé des modifications |
||
| (4 versions intermédiaires par le même utilisateur non affichées) | |||
| Ligne 1 : | Ligne 1 : | ||
[[Fichier:LogoZimbra.png]] | [[Fichier:LogoZimbra.png]] | ||
== Installation == | |||
* [[MTA/Zimbra/Install|Installation]] | |||
== Webmail == | |||
* Notice d'utilisation du [[Mail/MUA/ZimbraWebmail| Webmail Zimbra]] | |||
== Astuces == | == Astuces == | ||
* [[MTA/Zimbra/Webmail/Tips/RedirectHttpTrafficToHttps|Rediriger http sur https pour le webmail]] | * [[MTA/Zimbra/Webmail/Tips/RedirectHttpTrafficToHttps|Rediriger http sur https pour le webmail]] | ||
* [[MTA/Zimbra/Webmail/Tips/Optimize|Optimisation des ressources]] | |||
* [[MTA/Zimbra/Webmail/Tips/ModifyAttachedFileSize|Modification de la taille maximum des pièces jointes]] | |||
* [[MTA/Zimbra/Webmail/Tips/RenewCert|Renouvellement des certificats]] | |||
== Anti brut force pour Zimbra avec Ossec == | |||
Forum Zimbra<ref>Webmail/Tips/Optimize#Ralentir_le_traffic_sortant_pour_certains_domaines</ref> | |||
Once OSSEC has been installed one needs to update the decoder rules, on the OSSEC hub, located <ossec_path>/etc/local_decoder.xml | |||
<syntaxhighlight lang="xml"> | |||
<!-- | |||
Zimbra OSSEC | |||
--> | |||
<decoder name="zimbra"> | |||
<prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d+ WARN|INFO</prematch> | |||
</decoder> | |||
<decoder name="zimbra-preauth-failed"> | |||
<parent>zimbra</parent> | |||
<prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+; error=authentication failed for \S+, preauth mismatch;$</prematch> | |||
<regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex> | |||
<order>user, srcip</order> | |||
</decoder> | |||
<decoder name="zimbra-preauth-passed"> | |||
<parent>zimbra</parent> | |||
<prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+;$</prematch> | |||
<regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex> | |||
<order>user, srcip</order> | |||
</decoder> | |||
<decoder name="zimbra-unknown-account"> | |||
<parent>zimbra</parent> | |||
<prematch offset="after_parent">account not found$</prematch> | |||
<regex>[oip=(\d+.\d+.\d+.\d+);\S+] SoapEngine - handler exception: authentication failed for (\S+),</regex> | |||
<order>srcip, user</order> | |||
</decoder> | |||
<decoder name="zimbra-invalid-password"> | |||
<parent>zimbra</parent> | |||
<prematch offset="after_parent">invalid password$</prematch> | |||
<regex>[name=(\S+);oip=(\d+.\d+.\d+.\d+);\S+]</regex> | |||
<order>user, srcip</order> | |||
</decoder> | |||
</syntaxhighlight> | |||
now we have to tell OSSEC about the rules we wish to generate so one would update <ossec_path>/rules/local_rules.xml | |||
Code: | |||
<syntaxhighlight lang="xml"> | |||
<!-- Zimbra Rules --> | |||
<group name="zimbra,"> | |||
<rule id="100100" level="0"> | |||
<decoded_as>zimbra</decoded_as> | |||
<description>Zimbra Messages Grouped</description> | |||
</rule> | |||
<rule id="100101" level="3"> | |||
<if_sid>100100</if_sid> | |||
<match>account not found$</match> | |||
<description>Account Unknown</description> | |||
<group>account_unknown,zimbra_failures,</group> | |||
</rule> | |||
<rule id="100102" level="3"> | |||
<if_sid>100100</if_sid> | |||
<match>invalid password$</match> | |||
<description>Invalid Password</description> | |||
<group>invalid_password,</group> | |||
</rule> | |||
<rule id="100103" level="5"> | |||
<if_sid>100100</if_sid> | |||
<match>preauth mismatch;$</match> | |||
<description>Preauth Mismatch</description> | |||
<group>preauth_mismatch,zimbra_failures,</group> | |||
</rule> | |||
<rule id="100104" level="5"> | |||
<if_sid>100100</if_sid> | |||
<match>cmd=PreAuth</match> | |||
<description>Preauth Passed</description> | |||
<group>preauth_passed,zimbra_passed,</group> | |||
</rule> | |||
<!-- Correlated rules --> | |||
<rule id="100110" level="8" frequency="5" timeframe="60"> | |||
<if_matched_group>zimbra_failures</if_matched_group> | |||
<same_source_ip /> | |||
<description>Zimbra Potential Brute Force Attack</description> | |||
</rule> | |||
<rule id="100111" level="8" frequency="5" timeframe="60"> | |||
<if_matched_group>zimbra_passed</if_matched_group> | |||
<same_source_ip /> | |||
<description>Zimbra Excessive Pre-Authentication Passes</description> | |||
</rule> | |||
</group> | |||
</syntaxhighlight> | |||
One must also inform OSSEC to monitor the necessary Zimbra files which is actioned by updating, on the OSSEC hub, the file <ossec_path>/etc/shared/agent.conf | |||
Code: | |||
<syntaxhighlight lang="xml"> | |||
<agent_config name = "whatever_you_called_your_zimbra_server"> | |||
<localfile> | |||
<location>/opt/zimbra/log/mailbox.log</location> | |||
<log_format>syslog</log_format> | |||
</localfile> | |||
<localfile> | |||
<location>/opt/zimbra/log/audit.log</location> | |||
<log_format>syslog</log_format> | |||
</localfile> | |||
<localfile> | |||
<location>/var/log/zimbra.log</location> | |||
<log_format>syslog</log_format> | |||
</localfile> | |||
</agent_config> | |||
</syntaxhighlight> | |||
One will then need to restart OSSEC on the hub | |||
Code: | |||
service ossec restart | |||
== Commandes utiles == | == Commandes utiles == | ||
* [[MTA/Zimbra/Commands/zmtlsctl|zmtlsctl]] | * [[MTA/Zimbra/Commands/zmtlsctl|zmtlsctl]] | ||
Dernière version du 7 mars 2014 à 14:06
Installation
Webmail
- Notice d'utilisation du Webmail Zimbra
Astuces
- Rediriger http sur https pour le webmail
- Optimisation des ressources
- Modification de la taille maximum des pièces jointes
- Renouvellement des certificats
Anti brut force pour Zimbra avec Ossec
Forum Zimbra[1] Once OSSEC has been installed one needs to update the decoder rules, on the OSSEC hub, located <ossec_path>/etc/local_decoder.xml
<!--
Zimbra OSSEC
-->
<decoder name="zimbra">
<prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d+ WARN|INFO</prematch>
</decoder>
<decoder name="zimbra-preauth-failed">
<parent>zimbra</parent>
<prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+; error=authentication failed for \S+, preauth mismatch;$</prematch>
<regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
<order>user, srcip</order>
</decoder>
<decoder name="zimbra-preauth-passed">
<parent>zimbra</parent>
<prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+;$</prematch>
<regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
<order>user, srcip</order>
</decoder>
<decoder name="zimbra-unknown-account">
<parent>zimbra</parent>
<prematch offset="after_parent">account not found$</prematch>
<regex>[oip=(\d+.\d+.\d+.\d+);\S+] SoapEngine - handler exception: authentication failed for (\S+),</regex>
<order>srcip, user</order>
</decoder>
<decoder name="zimbra-invalid-password">
<parent>zimbra</parent>
<prematch offset="after_parent">invalid password$</prematch>
<regex>[name=(\S+);oip=(\d+.\d+.\d+.\d+);\S+]</regex>
<order>user, srcip</order>
</decoder>
now we have to tell OSSEC about the rules we wish to generate so one would update <ossec_path>/rules/local_rules.xml Code:
<!-- Zimbra Rules -->
<group name="zimbra,">
<rule id="100100" level="0">
<decoded_as>zimbra</decoded_as>
<description>Zimbra Messages Grouped</description>
</rule>
<rule id="100101" level="3">
<if_sid>100100</if_sid>
<match>account not found$</match>
<description>Account Unknown</description>
<group>account_unknown,zimbra_failures,</group>
</rule>
<rule id="100102" level="3">
<if_sid>100100</if_sid>
<match>invalid password$</match>
<description>Invalid Password</description>
<group>invalid_password,</group>
</rule>
<rule id="100103" level="5">
<if_sid>100100</if_sid>
<match>preauth mismatch;$</match>
<description>Preauth Mismatch</description>
<group>preauth_mismatch,zimbra_failures,</group>
</rule>
<rule id="100104" level="5">
<if_sid>100100</if_sid>
<match>cmd=PreAuth</match>
<description>Preauth Passed</description>
<group>preauth_passed,zimbra_passed,</group>
</rule>
<!-- Correlated rules -->
<rule id="100110" level="8" frequency="5" timeframe="60">
<if_matched_group>zimbra_failures</if_matched_group>
<same_source_ip />
<description>Zimbra Potential Brute Force Attack</description>
</rule>
<rule id="100111" level="8" frequency="5" timeframe="60">
<if_matched_group>zimbra_passed</if_matched_group>
<same_source_ip />
<description>Zimbra Excessive Pre-Authentication Passes</description>
</rule>
</group>
One must also inform OSSEC to monitor the necessary Zimbra files which is actioned by updating, on the OSSEC hub, the file <ossec_path>/etc/shared/agent.conf Code:
<agent_config name = "whatever_you_called_your_zimbra_server">
<localfile>
<location>/opt/zimbra/log/mailbox.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/zimbra/log/audit.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/zimbra.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
One will then need to restart OSSEC on the hub Code:
service ossec restart
Commandes utiles
- ↑ Webmail/Tips/Optimize#Ralentir_le_traffic_sortant_pour_certains_domaines