« Mail/MTA/Zimbra » : différence entre les versions
Aller à la navigation
Aller à la recherche
Aucun résumé des modifications |
Aucun résumé des modifications |
||
| Ligne 11 : | Ligne 11 : | ||
* [[MTA/Zimbra/Webmail/Tips/Optimize|Optimisation des ressources]] | * [[MTA/Zimbra/Webmail/Tips/Optimize|Optimisation des ressources]] | ||
* [[MTA/Zimbra/Webmail/Tips/ModifyAttachedFileSize|Modification de la taille maximum des pièces jointes]] | * [[MTA/Zimbra/Webmail/Tips/ModifyAttachedFileSize|Modification de la taille maximum des pièces jointes]] | ||
* [[MTA/Zimbra/Webmail/Tips/RenewCert|Renouvellement des certificats]] | |||
== Anti brut force pour Zimbra avec Ossec == | == Anti brut force pour Zimbra avec Ossec == | ||
Dernière version du 7 mars 2014 à 14:06
Installation
Webmail
- Notice d'utilisation du Webmail Zimbra
Astuces
- Rediriger http sur https pour le webmail
- Optimisation des ressources
- Modification de la taille maximum des pièces jointes
- Renouvellement des certificats
Anti brut force pour Zimbra avec Ossec
Forum Zimbra[1] Once OSSEC has been installed one needs to update the decoder rules, on the OSSEC hub, located <ossec_path>/etc/local_decoder.xml
<!--
Zimbra OSSEC
-->
<decoder name="zimbra">
<prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d+ WARN|INFO</prematch>
</decoder>
<decoder name="zimbra-preauth-failed">
<parent>zimbra</parent>
<prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+; error=authentication failed for \S+, preauth mismatch;$</prematch>
<regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
<order>user, srcip</order>
</decoder>
<decoder name="zimbra-preauth-passed">
<parent>zimbra</parent>
<prematch offset="after_parent">[\S+] [\S+] security - cmd=PreAuth; account=\S+; admin=\S+;$</prematch>
<regex>[name=(\S+);ip=(\d+.\d+.\d+.\d+);]</regex>
<order>user, srcip</order>
</decoder>
<decoder name="zimbra-unknown-account">
<parent>zimbra</parent>
<prematch offset="after_parent">account not found$</prematch>
<regex>[oip=(\d+.\d+.\d+.\d+);\S+] SoapEngine - handler exception: authentication failed for (\S+),</regex>
<order>srcip, user</order>
</decoder>
<decoder name="zimbra-invalid-password">
<parent>zimbra</parent>
<prematch offset="after_parent">invalid password$</prematch>
<regex>[name=(\S+);oip=(\d+.\d+.\d+.\d+);\S+]</regex>
<order>user, srcip</order>
</decoder>
now we have to tell OSSEC about the rules we wish to generate so one would update <ossec_path>/rules/local_rules.xml Code:
<!-- Zimbra Rules -->
<group name="zimbra,">
<rule id="100100" level="0">
<decoded_as>zimbra</decoded_as>
<description>Zimbra Messages Grouped</description>
</rule>
<rule id="100101" level="3">
<if_sid>100100</if_sid>
<match>account not found$</match>
<description>Account Unknown</description>
<group>account_unknown,zimbra_failures,</group>
</rule>
<rule id="100102" level="3">
<if_sid>100100</if_sid>
<match>invalid password$</match>
<description>Invalid Password</description>
<group>invalid_password,</group>
</rule>
<rule id="100103" level="5">
<if_sid>100100</if_sid>
<match>preauth mismatch;$</match>
<description>Preauth Mismatch</description>
<group>preauth_mismatch,zimbra_failures,</group>
</rule>
<rule id="100104" level="5">
<if_sid>100100</if_sid>
<match>cmd=PreAuth</match>
<description>Preauth Passed</description>
<group>preauth_passed,zimbra_passed,</group>
</rule>
<!-- Correlated rules -->
<rule id="100110" level="8" frequency="5" timeframe="60">
<if_matched_group>zimbra_failures</if_matched_group>
<same_source_ip />
<description>Zimbra Potential Brute Force Attack</description>
</rule>
<rule id="100111" level="8" frequency="5" timeframe="60">
<if_matched_group>zimbra_passed</if_matched_group>
<same_source_ip />
<description>Zimbra Excessive Pre-Authentication Passes</description>
</rule>
</group>
One must also inform OSSEC to monitor the necessary Zimbra files which is actioned by updating, on the OSSEC hub, the file <ossec_path>/etc/shared/agent.conf Code:
<agent_config name = "whatever_you_called_your_zimbra_server">
<localfile>
<location>/opt/zimbra/log/mailbox.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/zimbra/log/audit.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/zimbra.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
One will then need to restart OSSEC on the hub Code:
service ossec restart
Commandes utiles
- ↑ Webmail/Tips/Optimize#Ralentir_le_traffic_sortant_pour_certains_domaines