Pour partager facilement des mots de passe

fail2ban sur Ubuntu 18.04

sudo apt-get install fail2ban

ensuite on crée un fichier /etc/fail2ban/jail.local

et on active certaines prisons déjà présentes :

[apache-badbots]
enabled = true
[apache-auth]
enabled = true
[apache-noscript]
enabled = true
[apache-botsearch]
enabled = true
[sshd]
enabled = false

sudo fail2ban-client status

sur ZIMBRA on crée un filtre spécial :

/etc/fail2ban/filter.d/zimbra-submission.conf

[Definition]
#
failregex = postfix\/submission\/smtpd[\d+]: warning: .[<HOST>]: SASL \w+ authentication failed: authentication failure$
postfix\/smtps\/smtpd[\d+]: warning: .[<HOST>]: SASL \w+ authentication failed: authentication failure$

ignoreregex =

et un autre zimbra.conf
[Definition]
failregex = [ip=<HOST>;] account - authentication failed for . (no such account)$
[ip=<HOST>;] security - cmd=Auth; . error=authentication failed for ., invalid password;$
;oip=<HOST>;. security - cmd=Auth; . protocol=soap; error=authentication failed for . invalid password;$
[oip=<HOST>;. SoapEngine - handler exception: authentication failed for ., account not found$
WARN .;ip=<HOST>;ua=ZimbraWebClient . security - cmd=AdminAuth; . error=authentication failed for .;$
NOQUEUE: reject: RCPT from .[<HOST>]: 550 5.1.1 .: Recipient address rejected:

ensuite dans jail.conf

[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, dest=loic@lobass.fr]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5

[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=loic@lobass.fr]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5

[zimbra-recipient]
enabled = true
filter = zimbra-submission
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=loic@lobass.fr]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5

jail for postfix since postfix performs Zimbra mail transfer

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=loic@lobass.fr]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5

J'ai modifié le fichier /etc/fail2ban/action.d/sendmail.conf

actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>

Et cela fonctionne :

fail2ban-client status zimbra-recipient
Status for the jail: zimbra-recipient
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| - File list: /var/log/zimbra.log - Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 212.70.149.69

Article intéressant sur la stratégie de mot de passe

Methode pour surveiller fichiers site web ou répertoire

un script python pour surveiller fichiers et répertoires

Classe python pour manipuler Iptables

Très bon site pour bloquer des IP par pays

exemple de fichier .htaccess généré :

Copyright 2016 COUNTRY IP BLOCKS™ LLC

#all rights reserved.
#This list may not be redistributed in any form.
#this list includes network data on the following countries:
#CHINA
<Limit GET POST>
order allow,deny
deny from 1.0.1.0/24
deny from 1.0.2.0/23
deny from 1.0.8.0/21
deny from 1.0.32.0/19
deny from 1.1.0.0/24
...
allow from all
</Limit>

Un sandbox pour linux. permet de lancer des applis isolés.
$ firejail firefox # starting Mozilla Firefox
$ firejail transmission-gtk # starting Transmission BitTorrent
$ firejail vlc # starting VideoLAN Client
$ sudo firejail /etc/init.d/nginx start # starting nginx web server

A garder sous le coude

pour sensibiliser

Oups

Aïe

Une liste de logiciels utiles pour désinfection et autres