{"id":3899,"date":"2020-09-08T13:18:33","date_gmt":"2020-09-08T19:18:33","guid":{"rendered":"https:\/\/ugit.siua.ac.cr\/?p=3899"},"modified":"2020-09-08T15:25:58","modified_gmt":"2020-09-08T21:25:58","slug":"zimbra-8-8-medidas-seguridad-ugit","status":"publish","type":"post","link":"https:\/\/sada.services\/?p=3899","title":{"rendered":"Zimbra 8.8: Medidas Seguridad UGIT CT debian 10"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li>Esta gu\u00eda explica las medidas de seguridad implementadas en servidor debian 10 con zimbra<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Paso#01: Dependencias<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Instalamos ciertas dependencias<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt-get install make build-essential net-tools git -y<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">PASO#02: prueba de correo<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>para comprobar que podemos enviar un correo desde la terminal, con el usuario root hacemos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>su root\necho \"Prueba de envio desde el usuario root\" | sendmail -v admin@siua.ac.cr\n\n{\necho FROM: admin@siua.ac.cr\necho To: admin@siua.ac.cr\necho Subject: \"Este es el asunto\"\necho\necho \"Este es el contenido del mensaje\"\n} | sendmail -v admin@siua.ac.cr<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Paso#03: RKhunter<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Descargamos el programa: <a href=\"https:\/\/ugit.blog.siua.ac.cr\/Archivos\/rkhunter\/rkhunter-1.4.6.tar.gz\">rkhunter-1.4.6.tar.<\/a><a rel=\"noreferrer noopener\" aria-label=\"gz (abre en una nueva pesta\u00f1a)\" href=\"\/wp-content\/uploads\/2019\/09\/rkhunter-1.4.6.tar.gz\" target=\"_blank\">gz<\/a><\/li><li>Instalamos rkhunter&nbsp;que es un esc\u00e1ner que analiza y busca en nuestro ordenador, backdoors, exploits, sniffers y por supuesto rootkits, realizando diferentes pruebas a nuestro sistema.<\/li><li>Ingresamos a tmp para que despu\u00e9s del siguiente reinicio se eliminen los archivos:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/tmp<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Descargamos el fichero:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>wget \/wp-content\/uploads\/2019\/09\/rkhunter-1.4.6.tar.gz<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Lo descomprimimos:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>tar -zxf rkhunter-1.4.6.tar.gz<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Ingresamos a la carpeta:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>cd rkhunter-1.4.6<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Lo instalamos:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/installer.sh --install<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Podemos verificar la versi\u00f3n:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>rkhunter --versioncheck<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>RESULTADO:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91; Rootkit Hunter version 1.4.6 ]\n\nChecking rkhunter version...\n  This version  : 1.4.6\n  Latest version: 1.4.6\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Actualizamos la base de datos:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>rkhunter --update<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>RESULTADO:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91; Rootkit Hunter version 1.4.6 ]\n\nChecking rkhunter version...\n  This version  : 1.4.6\n  Latest version: 1.4.6\nroot@metis:\/tmp\/rkhunter-1.4.6# rkhunter --update\n&#91; Rootkit Hunter version 1.4.6 ]\n\nChecking rkhunter data files...\n  Checking file mirrors.dat                                  &#91; Updated ]\n  Checking file programs_bad.dat                             &#91; No update ]\n  Checking file backdoorports.dat                            &#91; No update ]\n  Checking file suspscan.dat                                 &#91; No update ]\n  Checking file i18n\/cn                                      &#91; No update ]\n  Checking file i18n\/de                                      &#91; No update ]\n  Checking file i18n\/en                                      &#91; No update ]\n  Checking file i18n\/tr                                      &#91; No update ]\n  Checking file i18n\/tr.utf8                                 &#91; No update ]\n  Checking file i18n\/zh                                      &#91; No update ]\n  Checking file i18n\/zh.utf8                                 &#91; No update ]\n  Checking file i18n\/ja                                      &#91; No update ]\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Crear el archivo rkhunter.dat<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>rkhunter --propupd<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Ahora podemos verificar el sistema<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>rkhunter -c<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Ahora creamos un cron mensual para que verifique nuestro sistema<\/li><li>Creamos una archivo en:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/cron.monthly\/rkhunter.sh<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Agregamos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/bash\n{\necho FROM: log@siua.ac.cr\necho To: log@siua.ac.cr\necho Subject:\"Reporte rkhunter correo.siua.ac.cr\"\necho \n rkhunter --versioncheck\n rkhunter --update\n rkhunter -c --cronjob --report-warnings-only\n} | sendmail -v log@siua.ac.cr<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Le damos permisos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod +x \/etc\/cron.monthly\/rkhunter.sh<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Si deseamos consultar el log file<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/var\/log\/rkhunter.log<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Paso#04: Instalar logwatch<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Logwatch es un sistema de monitoreo de logs personalizable. Su funci\u00f3n es revisar los logs del sistema en un per\u00edodo de tiempo determinado y elaborar un resumen con el nivel de detalle que se desee. Luego es capaz de enviar el resumen por mail en forma de reporte. Es muy \u00fatil para monitorear la actividad de los servidores y detectar posibles abusos, intentos de intrusi\u00f3n, consumo de recursos, etc.<\/li><li>Es importante saber que logwatch se instala en \u00ab\/usr\/share\/logwatch\u00bb pero crea una estructura de archivos en \/etc\/logwatch, la idea es que toda configuraci\u00f3n \u00abadicional\u00bb la hagamos aqu\u00ed y esta sobreescriba a la de \/usr\/share\/logwatch<\/li><li>Los instalamos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt-get install logwatch -y<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Copiamos el archivos de&nbsp;configuraci\u00f3n de \u00abf\u00e1brica\u00bb<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/usr\/share\/logwatch\/default.conf\/logwatch.conf \/etc\/logwatch\/conf\/logwatch.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Creamos una carpeta requerida:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir \/var\/cache\/logwatch<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Abrimos el archivo:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/logwatch\/conf\/logwatch.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Modificamos:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>--------------------------------------------------------------\nOutput = stdout\nX\nOutput = mail\n--------------------------------------------------------------\nFormat = text\nX\nFormat = html\n--------------------------------------------------------------\nMailTo = root\nX\nMailTo = log@siua.ac.cr\n--------------------------------------------------------------\nMailFrom = Logwatch\nX\nMailFrom = Logwatch_POSEIDON\n--------------------------------------------------------------\nRange = yesterday\nX\nRange = yesterday\n--------------------------------------------------------------\nDetail = Low\nX\nDetail = 8\n--------------------------------------------------------------<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Si fuera necesario modificar el archivo:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/cron.daily\/00logwatch<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>para probarlo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>logwatch<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Paso#05: OpenSSH<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Instalamos el servicio:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install openssh-server openssh-client -y<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Abrimos el archivo:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Modificamos el n\u00famero de puerto<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#Port 22\nX\nPort 44<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Por defecto cualquier usuario del sistema que tenga permisos de shell se puede conectar por SSH, para evitar esto vamos a negar la conexi\u00f3n SSH del usuario root.<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#PermitRootLogin prohibit-password\nX\nPermitRootLogin no<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Aplicamos las siguientes configuraciones:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>-----------------------------------------------------------------------\n#Tiempo para introducir la contrase\u00f1a\n-----------------------------------------------------------------------\n#LoginGraceTime 2m\nX\nLoginGraceTime 120\n\n\n-----------------------------------------------------------------------\n#N\u00famero de sesiones m\u00e1xima por usuario permitida\n-----------------------------------------------------------------------\n#StrictModes yes\nX\nStrictModes yes\n\n-----------------------------------------------------------------------\n#N\u00fameros de intentos permitidos de introducir la contrase\u00f1a antes de desconectarnos\n-----------------------------------------------------------------------\n#MaxAuthTries 6\nX\nMaxAuthTries 3\n\n-----------------------------------------------------------------------\n#N\u00famero de sesiones m\u00e1xima por usuario permitida\n-----------------------------------------------------------------------\n#MaxSessions 10\nX\nMaxSessions 10\n\n\n-----------------------------------------------------------------------\n#Si queremos habilitar el acceso ssh de usuarios del sistema con usuario y clave\n#yes\n#Si lo queremos impedir: no\n-----------------------------------------------------------------------\n#PubkeyAuthentication yes\nX\nPubkeyAuthentication yes\n-----------------------------------------------------------------------\n#PasswordAuthentication yes\nX\nPasswordAuthentication yes\n-----------------------------------------------------------------------\n\n\n-----------------------------------------------------------------------\n#Agregamos al final del archivo: usuarios permitidos para conexi\u00f3n ssh\n-----------------------------------------------------------------------\n#Servidor com\u00fan\nAllowUsers root ugit zimbra admin\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>NOTA: a zimbra no se le puede aplicar la medida de los cifrados (Esto no se aplica)<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512\n#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n#MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n#HostKeyAlgorithms ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss,ssh-ed25519<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Reiniciamos el servicio<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/etc\/init.d\/ssh restart<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Ahora zimbra ocupa conectarse por ssh para las estadisticas por esta razon debemos indicarle a zimbra que cambiamos el puerto de ssh<\/li><li>Sino nos presenta el siguiente error<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img fetchpriority=\"high\" decoding=\"async\" width=\"493\" height=\"268\" src=\"\/wp-content\/uploads\/2020\/09\/Seleccion_082.png\" alt=\"\" class=\"wp-image-3890\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2020\/09\/Seleccion_082.png 493w, https:\/\/sada.services\/wp-content\/uploads\/2020\/09\/Seleccion_082-300x163.png 300w\" sizes=\"(max-width: 493px) 100vw, 493px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>su zimbra\nzmprov ms 'correo.siua.ac.cr' zimbraRemoteManagementPort 44\nzmcontrol restart<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Paso#06: Instalar Fail2ban<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Instalamos:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt-get install fail2ban -y<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Copiamos el archivo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Abrimos el archivo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/jail.local<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Buscamos y remplazamos:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ignoreip = 127.0.0.1\/8\nX\nignoreip = 127.0.0.1 10.20.190.0\/24 10.20.200.0\/24 181.193.87.0\/28 10.30.240.0\/24 201.237.206.56\n\n--------------------------------------------------------------\n\nbantime  = 10m\nX\nbantime = 172800\n\n--------------------------------------------------------------\n\nmaxretry = 5\nX\nmaxretry = 3\n\n--------------------------------------------------------------\n\ndestemail = root@localhost\nX\ndestemail = ataques@siua.ac.cr\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Agregamos la linea<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>sendername = METIS_Fail2Ban<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Guardamos el archivo y cerramos<\/li><li>Ahora con el siguiente comando podemos ver cuales servicios utiliza zibra<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>lsof -i -P -n | grep LISTEN<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Entonces vamos abrir el archivo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/jail.d\/defaults-debian.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Agregamos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#***********************************\n#*********** SSH  ******************\n#***********************************\n&#91;sshd]\nenabled = true\n\n\n\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Ahora creamos el archivo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/zimbra.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Agregamos el siguiente contenido<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\n#*********************************** \n#**********  POSTFIX *************** \n#***********************************\n\n&#91;postfix]\nenabled = true\n\n&#91;postfix-rbl]\nenabled = true# Fail2Ban configuration file\n#\n# Author: \n#\n# $Revision: 1 $\n#\n&#91;Definition]\n# Option: failregex\n# Notes.: regex to match the password failures messages in the logfile. The\n# host must be matched by a group named \"host\". The tag \"&lt;HOST>\" can\n# be used for standard IP\/hostname matching and is only an alias for\n# (?:::f{4,6}:)?(?P&lt;host>&#91;\\w\\-.^_]+)\n# Values: TEXT\n#\nfailregex = \\&#91;ip=&lt;HOST>;\\] account - authentication failed for .* \\(no such account\\)$\n            \\&#91;ip=&lt;HOST>;\\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$\n            ;oip=&lt;HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$\n            \\&#91;oip=&lt;HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$\n            WARN .*;ip=&lt;HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$\n            NOQUEUE: reject: RCPT from .*\\&#91;&lt;HOST>\\]: 550 5.1.1 .*: Recipient address rejected:\nfailregex = WARN  \\&#91;.*\\] \\&#91;name=.*;ip=&lt;HOST>;ua=.*;\\] security - cmd=Auth; account=.*; protocol=.*; error=.*, invalid password;\n\n# .*\\&#91;ip=&lt;HOST>;\\] .* - authentication failed for .* \\(invalid password\\)\n# \n# Option: ignoreregex\n# Notes.: regex to ignore. If this regex matches, the line is ignored.\n# Values: TEXT\n#\nignoreregex =<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Creamos el archivo <\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/sasl.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>El agregamos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban configuration file\n#\n# Author: Yaroslav Halchenko\n#\n# $Revision: 728 $\n#\n&#91;Definition]\n# Option: failregex\n# Notes.: regex to match the password failures messages in the logfile. The\n# host must be matched by a group named \"host\". The tag \"&lt;HOST>\" can\n# be used for standard IP\/hostname matching and is only an alias for\n# (?:::f{4,6}:)?(?P&lt;host>&#91;\\w\\-.^_]+)\n# Values: TEXT\n#\n###failregex = (?i): warning: &#91;-._\\w]+\\&#91;&lt;HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: \nA-Za-z0-9+\/]*={0,2})?$\nfailregex = (?i): warning: &#91;-._\\w]+\\&#91;&lt;HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed\\: authentication failure\n \n#Jul 31 15:05:45 zimbratest postfix\/smtpd&#91;24158]: warning: host.dominio.cl&#91;X.X.X.X]: SASL PLAIN authentication failed: authentication failure\n# Option: ignoreregex\n# Notes.: regex to ignore. If this regex matches, the line is ignored.\n# Values: TEXT\n#\nignoreregex =<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Ahora abrimos el archivo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/jail.local<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Agregamos al final<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;zimbra-account]\nenabled = true\nfilter = zimbra\naction = iptables-allports&#91;name=Zimbra-account]\nlogpath = \/opt\/zimbra\/log\/mailbox.log\nbantime = 600\nmaxretry = 5\n\n&#91;zimbra-audit]\nenabled = true\nfilter = zimbra\naction = iptables-allports&#91;name=Zimbra-audit]\nlogpath = \/opt\/zimbra\/log\/audit.log\nbantime = 600\nmaxretry = 5\n\n&#91;zimbra-recipient]\nenabled = true\nfilter = zimbra\naction = iptables-allports&#91;name=Zimbra-recipient]\nlogpath = \/var\/log\/mail.log\nfindtime = 604800\nbantime = 600\nmaxretry = 5\n\n&#91;zimbra-webmail]\nenabled = true\nfilter = zimbra\naction = iptables&#91;name=Zimbra-account, port=http, protocol=tcp]\nmail-whois&#91;name=Zimbra-account, dest=admin@siua.ac.cr, sender=ataques@siua.ac.cr]\n#logpath = \/opt\/zimbra\/log\/mailbox.log\nlogpath = \/opt\/zimbra\/log\/audit.log\nmaxretry = 5\n\n\n&#91;postfix]\nenabled = true\nfilter = postfix\naction = iptables-multiport&#91;name=Postfix, port=smtp, protocol=tcp]\nlogpath = \/var\/log\/mail.log\nbantime = 600\nmaxretry = 5 \n\n&#91;sasl-iptables]\nenabled = true\nfilter = sasl\naction = iptables-allports&#91;name=sasl]\nlogpath = \/var\/log\/mail.log\nbantime = 600<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Comentamos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#&#91;postfix]\n# To use another modes set filter parameter \"mode\" in jail.local:\n#mode    = more\n#port    = smtp,465,submission\n#logpath = %(postfix_log)s\n#backend = %(postfix_backend)s<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Reiniciamos fail2ban:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>service fail2ban restart<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Si quiere conocer cuales jaulas est\u00e1n activadas<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>fail2ban-client status<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Resultado:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>* fail2ban.service - Fail2Ban Service\n   Loaded: loaded (\/lib\/systemd\/system\/fail2ban.service; enabled; vendor preset: enabled)\n   Active: active (running) since Tue 2020-09-08 20:49:06 UTC; 3s ago\n     Docs: man:fail2ban(1)\n  Process: 709623 ExecStop=\/usr\/bin\/fail2ban-client stop (code=exited, status=0\/SUCCESS)\n  Process: 721654 ExecStartPre=\/bin\/mkdir -p \/var\/run\/fail2ban (code=exited, status=0\/SUCCESS)\n Main PID: 719138 (fail2ban-server)\n    Tasks: 0 (limit: 231907)\n   CGroup: \/system.slice\/fail2ban.service\n           > 719138 \/usr\/bin\/python3 \/usr\/bin\/fail2ban-server --async -b -s \/var\/run\/fail2ban\/fail2ban.sock -p \/var\/run\/fail2ban\/fail2ban.pid --loglevel INFO --logtarget \/var\/log\/fail2ban.log --syslogsocket auto\n\nSep 08 20:49:06 correo systemd&#91;1]: Starting Fail2Ban Service...\nSep 08 20:49:06 correo systemd&#91;1]: Started Fail2Ban Service.\nSep 08 20:49:06 correo fail2ban-server&#91;721655]:  Server already running\nSep 08 20:49:06 correo fail2ban-server&#91;721655]:  Async configuration of server failed\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Si quiere ver el estado de una jaula especifica<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>fail2ban-client status sshd<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>RESULTADO:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Status\n|- Number of jail:\t12\n`- Jail list:\tapache-auth, apache-badbots, apache-botsearch, apache-fakegooglebot, apache-modsecurity, apache-nohome, apache-noscript, apache-overflows, apache-shellshock, postfix, postfix-rbl, sshd\nroot@metis:\/tmp\/ssh-audit# fail2ban-client status sshd\nStatus for the jail: sshd\n|- Filter\n|  |- Currently failed:\t0\n|  |- Total failed:\t0\n|  `- File list:\t\/var\/log\/auth.log\n`- Actions\n   |- Currently banned:\t0\n   |- Total banned:\t0\n   `- Banned IP list:<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Si quiere saber que el servicio esta activo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status fail2ban<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Modificaciones extras<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Ahora vamos aplicarle algunas otras modificaciones<\/li><li>Podemos ver el nivel del log y modificarlo si fuera necesario<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>fail2ban-client get loglevel<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Si deseamos modificarlo:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>fail2ban-client set loglevel {CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG}<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Si deseamos limpiar el log<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>fail2ban-client flushlogs<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Si deseamos consultar cu\u00e1nto tiempo se almacena una BAN en la BD (por defecto: 86400 seconds)<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>fail2ban-client get dbpurgeage<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Lo modificamos a 2 d\u00edas (2880 segundos)<\/strong><\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>fail2ban-client set dbpurgeage 2880<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Fail2Ban: Centralizaci\u00f3n de Blacklist IP UGIT<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Lo que vamos a explicar en este post es que hemos construido una base de datos que centralizar\u00eda todos los ataques que se den a los servidores con IP\u2019s p\u00fablicas, trav\u00e9s fail2ban y un personalizado script bash que enviar\u00eda los datos del ataque a la BD y otro script que se ejecutar\u00eda en todos los servidores todos los d\u00edas a las 12:00am y revisar\u00eda la BD y incluir\u00eda en su firewall las ip\u2019s que no tenga ya incluidas<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Servidor cliente &#8211; Instalar MYSQL-CLIENT<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Ingresamos por ssh como usuario \u00abroot\u00bb<\/li><li>Instalamos dependencias<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt-get install mysql-client curl jq -y\napt-get install curl jq -y<\/code><\/pre>\n\n\n\n<p><strong>NOTA: si estamos en debian 10 (proxmox 6) el comando anterior da error, para esto seguimos la siguiente gu\u00eda: <\/strong><a href=\"\/?p=1981\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (abre en una nueva pesta\u00f1a)\">mysql en debian 10<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Ingresamos al directorio<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/etc\/fail2ban\/<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Abrimos el archivo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/jail.local<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Buscamos la linea<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># The simplest action to take: ban only<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Y antes de esta linea insertamos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>############################################################################################################################################\n################ ACCION UGIT: Banea la Ip, envia un mail, Inserta en BD y la incluye en el IPSET de PROMOX ################################\n############################################################################################################################################\n\naction_ugit = %(banaction)s&#91;name=%(__name__)s, bantime=\"%(bantime)s\", port=\"%(port)s\", protocol=\"%(protocol)s\", chain=\"%(chain)s\"]\n              %(mta)s-whois&#91;name=%(__name__)s, sender=\"%(sender)s\", dest=\"%(destemail)s\", protocol=\"%(protocol)s\", chain=\"%(chain)s\"]\n              ip-to-blacklist-ugit<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Las acciones que van hacer son:<ul><li>Banea la IP por 2 d\u00edas<\/li><li>Env\u00eda un correo con la informaci\u00f3n de whois<\/li><li>Solicita ejecutar la acci\u00f3n \u00abip-to-blacklist-ugit\u00bb la cual:<ul><li>Verifica si la ip ya esta incluida en la BD<\/li><li>Si no esta incluida obtiene la informaci\u00f3n de la IP a trav\u00e9s de freegeoip y whois<\/li><li>La inserta en la BD<\/li><\/ul><\/li><\/ul><\/li><li>Ahora cambiamos la accion defecto por buscamos y remplazamos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>action = %(action_)s\nX\naction = %(action_ugit)s<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Creamos el archivo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/action.d\/ip-to-blacklist-ugit.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Agregamos el siguiente contenido<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;INCLUDES]\n\nbefore = iptables-common.conf\n\n&#91;Definition]\n\nactionban = \/etc\/fail2ban\/agrega_ip_blacklist-ugit.sh &lt;ip>\n\n&#91;Init]<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Reiniciamos fail2ban<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>service fail2ban restart<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Creaci\u00f3n de archivos<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Dependiendo del servidor y el firewall que tenga este es necesario un archivo u otro<\/strong><\/li><li>Creamos el archivo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/agrega_ip_blacklist-ugit.sh<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Le insertamos el siguiente contenido (Recuerde cambiar los datos de conexi\u00f3n)<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#! \/bin\/bash\n\n#######################################################################\n#################           PARAMETROS             ####################\n#######################################################################\n#ip_ban=\"119.94.116.145\"\n#Le pasamos el primer parametro del script\nip_ban=$1\n\n\n#######################################################################\n######################     VARIABLES   CONEXION    ####################\n#######################################################################\nip_servidor=\"FQDN:MP\"\nusuario_servidor=\"nombre_usuario\"\npassword_servidor=\"Pass_usuario\"\nBD_servidor=\"nombre_BD\"\nservidor_atacado=$(hostname -s)\n\n\n\n#######################################################################\n###########   FUNCION Comprobar si ya existe la IP    #################\n#######################################################################\nfunction verificaExiste () {\n    export MYSQL_PWD=$3\n    RESPUESTA=$(mysql $1 -u$2  -h$4 -s &lt;&lt;&lt;\"SELECT IP_SAE_SIGESTIC_BLIP FROM tab_sae_sigetic_blacklist_ips WHERE IP_SAE_SIGESTIC_BLIP = '$ip_ban'\")\n    if &#91;&#91; $RESPUESTA ]]\n    then\n      #Existe\n      true\n    else\n      #No existe\n      false\n    fi\n}\n\n\n#######################################################################\n###########        FUNCION Guarda IP en BD            #################\n#######################################################################\nfunction guardaIP(){\n  ##PARAMETROS\n  #$1:$BD_servidor\n  #$2:$usuario_servidor\n  #$3:$password_servidor\n  #$4:$ip_servidor\n  #$5:$ip_ban\n  #$6:$servidor_atacado\n  Fecha_Hora=`date +\"%Y-%m-%d %T\"`\n  servidor_atacado=$(hostname -s)\n  freegeoip=\"DESCONOCIDO\"\n  ip=\"DESCONOCIDO\"\n  country_code=\"DESCONOCIDO\"\n  country_name=\"DESCONOCIDO\"\n  region_code=\"DESCONOCIDO\"\n  region_name=\"DESCONOCIDO\"\n  city=\"DESCONOCIDO\"\n  latitude=\"DESCONOCIDO\"\n  longitude=\"DESCONOCIDO\"\n  netname=\"DESCONOCIDO\"\n  organization=\"DESCONOCIDO\"\n  responsible=\"DESCONOCIDO\"\n  role=\"DESCONOCIDO\"\n  cidr=\"DESCONOCIDO\"\n  route=\"DESCONOCIDO\"\n\n  #######################################################################\n  ################# P1:  Ejecutar consulta a Freegeoip   ##################\n  #######################################################################\n  freegeoip=`curl -s --get http:\/\/anuncios.siua.ac.cr:8080\/json\/$ip_ban`\n  #freegeoip=`curl -s --get http:\/\/freegeoip.net\/json\/$5`\n\n  ip=$(echo \"$freegeoip\" | jq -r '.ip')\n  if &#91; ! -z \"$ip\" ]\n  then\n    ip=$ip\n  else\n    ip=$5\n  fi\n  country_code=$(echo \"$freegeoip\" | jq -r '.country_code')\n  if &#91; ! -z \"$country_code\" ]\n  then\n    country_code=$country_code\n  else\n    country_code=\"VACIO\"\n  fi\n  country_name=$(echo \"$freegeoip\" | jq -r '.country_name')\n  if &#91; ! -z \"$country_name\" ]\n  then\n    country_name=$country_name\n  else\n    country_name=\"DESCONOCIDO\"\n  fi\n  region_code=$(echo \"$freegeoip\" | jq -r '.region_code')\n  if &#91; ! -z \"$region_code\" ]\n  then\n    region_code=$region_code\n  else\n    region_code=\"VACIO\"\n  fi\n  region_name=$(echo \"$freegeoip\" | jq -r '.region_name')\n  if &#91; ! -z \"$region_name\" ]\n  then\n    region_name=$region_name\n  else\n    region_name=\"DESCONOCIDO\"\n  fi\n  city=$(echo \"$freegeoip\" | jq -r '.city')\n  if &#91; ! -z \"$city\" ]\n  then\n    city=$city\n  else\n    city=\"DESCONOCIDO\"\n  fi\n  latitude=$(echo \"$freegeoip\" | jq -r '.latitude')\n  if &#91; ! -z \"$latitude\" ]\n  then\n    latitude=$latitude\n  else\n    latitude=\"10.019816\"\n  fi\n  longitude=$(echo \"$freegeoip\" | jq -r '.longitude')\n  if &#91; ! -z \"$longitude\" ]\n  then\n    longitude=$longitude\n  else\n    longitude=\"-84.197004\"\n  fi\n\n#printf \"******************************************\\n\"\n#printf \"*********** DATOS: FREEGEOIP     *********\\n\"\n#printf \"******************************************\\n\"\n#printf \"ip:${ip}\\n\"\n#printf \"country_code:${country_code}\\n\"\n#printf \"country_name:${country_name}\\n\"\n#printf \"region_code:${region_code}\\n\"\n#printf \"region_name:${region_name}\\n\"\n#printf \"city:${city}\\n\"\n#printf \"latitude:${latitude}\\n\"\n#printf \"longitude:${longitude}\\n\"\n\n\n  #######################################################################\n  #################  P2: Ejecutar consulta a ARIN       #################\n  #######################################################################\n  #netname\n  netname=`whois $5 -h whois.arin.net | grep -i netname: | tail -n 1`\n  netname=${netname#\"NetName:        \"}\n  netname=${netname#\"netname:        \"}\n\n  #organization\n  organization=`whois $5 -h whois.arin.net | grep -i organization: | tail -n 1`\n  organization=${organization#\"Organization:   \"}\n\n  #responsible\n  responsible=`whois $5 -h whois.arin.net | grep -i responsible: | tail -n 1`\n  responsible=${responsible#\"responsible: \"}\n\n  #role\n  role=`whois $5 -h whois.arin.net | grep -i role: | tail -n 1`\n  role=${role#\"role:           \"}\n\n  #cidr\n  cidr=`whois $5 -h whois.arin.net | grep -i cidr: | tail -n 1`\n  cidr=${cidr#\"CIDR:           \"}\n\n  #route\n  route=`whois $5 -h whois.arin.net | grep -i route: | tail -n 1`\n  route=${cidr#\"route:          \"}\n\n\n#printf \"******************************************\\n\"\n#printf \"***********     DATOS: WHOIS     *********\\n\"\n#printf \"******************************************\\n\"\n#printf \"netname:${netname}\\n\"\n#printf \"organization:${organization}\\n\"\n#printf \"responsible:${responsible}\\n\"\n#printf \"role:${role}\\n\"\n#printf \"cidr:${cidr}\\n\"\n#printf \"route:${route}\\n\"\n\n\n  ##########################################################################\n  #####################  P3:OBTENER NOMBRE       ###########################\n  ##########################################################################\n  if &#91; ! -z \"$netname\" ]\n  then\n  \tnombre=$netname\n  else\n  \tif &#91; ! -z \"$organization\" ]\n  \tthen\n  \t\tnombre=$organization\n  \telse\n  \t\tif &#91; ! -z \"$responsible\" ]\n  \t\tthen\n  \t\t\tnombre=$responsible\n  \t\telse\n  \t\t\tif &#91; ! -z \"$role\" ]\n  \t\t\tthen\n  \t\t\t\tnombre=$role\n  \t\t\telse\n  \t\t\t\tnombre=\"No existe\"\n  \t\t\tfi\n  \t\tfi\n  \tfi\n  fi\n\n  ##########################################################################\n  ##################### P4: OBTENER ORGANIZACION   #########################\n  ##########################################################################\n  if &#91; ! -z \"$organization\" ]\n  then\n  \torganizacion=$organization\n  else\n  \tif &#91; ! -z \"$netname\" ]\n  \tthen\n  \t\torganizacion=$netname\n  \telse\n  \t\tif &#91; ! -z \"$responsible\" ]\n  \t\tthen\n  \t\t\torganizacion=$responsible\n  \t\telse\n  \t\t\tif &#91; ! -z \"$role\" ]\n  \t\t\tthen\n  \t\t\t\torganizacion=$role\n  \t\t\telse\n  \t\t\t\torganizacion=\"No existe\"\n  \t\t\tfi\n  \t\tfi\n  \tfi\n  fi\n\n  ##########################################################################\n  #####################     P5: OBTENER CIDR       #########################\n  ##########################################################################\n  if &#91; ! -z \"$cidr\" ]\n  then\n  \tcidr=$cidr\n  else\n  \tif &#91; ! -z \"$route\" ]\n  \tthen\n  \t\tcidr=$route\n  \telse\n  \t\tcidr=\"\"\n  \tfi\n  fi\n\n\n\n#printf \"******************************************\\n\"\n#printf \"***********     DATOS: TRABAJADOS  *******\\n\"\n#printf \"******************************************\\n\"\n#printf \"nombre:${nombre}\\n\"\n#printf \"organizacion:${organizacion}\\n\"\n#printf \"cidr:${cidr}\\n\"\n\n\n  ##########################################################################\n  #####################  P6: Inserta en MYSQL      #########################\n  ##########################################################################\n  export MYSQL_PWD=$3\n  mysql -u$2 -h$4 -e \"\n  insert into tab_sae_sigetic_blacklist_ips\n    (\n      IP_SAE_SIGESTIC_BLIP,\n      Nombre_Red_SAE_SIGESTIC_BLIP,\n      Organizacion_SAE_SIGESTIC_BLIP,\n      Codigo_Pais_SAE_SIGESTIC_BLIP,\n      Nombre_Pais_SAE_SIGESTIC_BLIP,\n      Codigo_Region_SAE_SIGESTIC_BLIP,\n      Nombre_Region_SAE_SIGESTIC_BLIP,\n      Ciudad_SAE_SIGESTIC_BLIP,\n      CIDR_SAE_SIGESTIC_BLIP,\n      Latitud_SAE_SIGESTIC_BLIP,\n      Longitud_SAE_SIGESTIC_BLIP,\n      Fecha_Hora_SAE_SIGESTIC_BLIP,\n      Servidor_SAE_SIGESTIC_BLIP\n    ) values(\n      '$ip',\n      '$nombre',\n      '$organizacion',\n      '$country_code',\n      '$country_name',\n      '$region_code',\n      '$region_name',\n      '$city',\n      '$cidr',\n      '$latitude',\n      '$longitude',\n      '$Fecha_Hora',\n      '$servidor_atacado'\n    );\" $1 &amp;> \/dev\/interuniversitariadealajuela\n\n\n  true\n}\n\n\n#######################################################################\n############  PASO1: Comprobamos si ya existe en la BD ################\n#######################################################################\nprintf \"\\n\"\nprintf \"*********************************************\\n\"\nprintf \"RESULTADO de la IP: $ip_ban\\n\"\nprintf \"*********************************************\\n\"\nif verificaExiste $BD_servidor $usuario_servidor $password_servidor $ip_servidor $ip_ban\nthen\n    #Salimos del script\n    printf \"La IP YA EXISTE en la BD, salimos!!\\n\\n\"\n    exit\nelse\n    #Si no existe mandela a guardar\n    if guardaIP $BD_servidor $usuario_servidor $password_servidor $ip_servidor $ip_ban $servidor_atacado\n    then\n      printf \"La IP ha sido INCLUIDA correctamente!!\\n\\n\"\n\n\n      correo=\"&lt;!DOCTYPE>\"\n      correo=\"$correo&lt;html>\"\n      correo=\"$correo&lt;head>\"\n      correo=\"$correo&lt;meta http-equiv='Content-Type' content='text\/html; charset=utf-8'>\"\n      correo=\"$correo&lt;meta name='viewport' content='width=device-width, initial-scale=1'>\"\n      correo=\"$correo&lt;title>&#91;BD\/$servidor_atacado\/$ip_ban] &lt;\/title>\"\n      correo=\"$correo&lt;style type='text\/css'>\"\n      correo=\"$correo table, th, td {border: 1px solid black; padding:5px}a{text-decoration: none;}.link:hover {text-decoration: none !important;}@media screen and (min-width: 650px) {.des-pt50 {padding-top: 50px !important;}.des-pb50 {padding-bottom: 50px !important;}.des-mauto {margin: 0px !important;}.des-pb0 {padding-bottom: 0px !important;}.td, .tfoot, .thead {display: table-cell !important;}.table {display: table;\twidth: 100%;}}\"\n      correo=\"$correo&lt;\/style>\"\n      correo=\"$correo&lt;\/head>\"\n      correo=\"$correo&lt;body style='margin:0;padding:0;background: #F8F8F8;' id='body'>\"\n      correo=\"$correo&lt;div class='tac pt10 pb10 pl10 pr10' style='padding-top:10px;padding-bottom:10px;padding-right:10px;padding-left:10px;text-align:center;background: #015289;'>\"\n      correo=\"$correo&lt;div class='table' style='max-width: 600px; margin:0 auto;'>\"\n      correo=\"$correo&lt;div class='td w50p vam' style='vertical-align:middle;'>\"\n      correo=\"$correo&lt;img alt='SIUA' border='0' class='pb10 des-mauto des-pb0' src='https:\/\/www.siua.ac.cr\/img\/logo.png' style='display:block;border:0;padding-bottom:10px;margin:0 auto; display: block; color: #ffffff; ' width='125'>\"\n      correo=\"$correo&lt;\/div>\"\n      correo=\"$correo&lt;div class='td w50p vam des-tar' style='vertical-align:middle;'>\"\n      correo=\"$correo&lt;p class='white' style='margin:0;font-size:16px;font-family: Helvetica, Arial, sans-serif;color:#ffffff;'>\"\n      correo=\"$correo Unidad de Gesti\u00f3n e Innnovaci\u00f3n Tecnol\u00f3gica\"\n      correo=\"$correo&lt;\/p>\"\n      correo=\"$correo&lt;\/div>\"\n      correo=\"$correo&lt;\/div>\"\n      correo=\"$correo&lt;\/div>\"\n      correo=\"$correo&lt;div class='frame' style='background:#F8F8F8;'>\"\n      correo=\"$correo&lt;div class='pl15 pr15 pt35 des-pt50 pb25 des-pb50' style='padding-right:15px;padding-left:15px;padding-bottom:25px;padding-top:35px;'>\"\n      correo=\"$correo&lt;div class='wrapper pt35 pb35 pl35 pr35 box' style='padding-top:35px;padding-bottom:35px;padding-right:35px;padding-left:35px;max-width:600px;margin:0 auto;text-align:center;mso-element-frame-width:800px;mso-element:para-border-div;mso-element-left:center;mso-element-wrap:no-wrap-beside;mso-padding-top-alt:50px;background:#ffffff;border-radius:10px;'>\"\n      correo=\"$correo&lt;h2 class='fsz30 lh36 bold pt25 pb15 mso-mb15' style='font-family:Helvetica, Arial, sans-serif;margin:0;padding-bottom:15px;padding-top:25px;color:#353a3e;font-family:Helvetica, Arial, sans-serif;font-weight:bold;font-size:30px;line-height:36px;mso-margin-bottom-alt:15px;'>\"\n      correo=\"$correo IPs Incluidas en BD\"\n      correo=\"$correo&lt;\/h2>\"\n      correo=\"$correo&lt;p class='fsz16 lh24 mso-mb25' style='margin:0;color:#777777;font-family:Helvetica, Arial, sans-serif;font-size:16px;line-height:24px;mso-margin-bottom-alt:25px;'>\"\n      correo=\"$correo&lt;table style='width:100%; background-color:#FFFFFF;border-collapse: collapse;align:center'>\"\n      correo=\"$correo&lt;tr style='text-align:center; background-color:#015289;color:#ffffff;'>\"\n      correo=\"$correo&lt;td>IP&lt;\/td>\"\n      correo=\"$correo&lt;td>Fecha y Hora&lt;\/td>\"\n      correo=\"$correo&lt;td>Organizaci\u00f3n&lt;\/td>\"\n      correo=\"$correo&lt;\/tr>\"\n      correo=\"$correo&lt;tr style='text-align:center; background-color:#FFFFFF;color:#333333;'>\"\n      correo=\"$correo&lt;td>$ip_ban&lt;\/td>\"\n      correo=\"$correo&lt;td>$Fecha_Hora&lt;\/td>\"\n      correo=\"$correo&lt;td>$organizacion&lt;\/td>\"\n      correo=\"$correo&lt;\/tr>\"\n      correo=\"$correo&lt;\/table>\"\n      correo=\"$correo&lt;\/p>\"\n      correo=\"$correo&lt;\/div>\"\n      correo=\"$correo&lt;\/div>\"\n      correo=\"$correo&lt;\/div>\"\n      correo=\"$correo&lt;\/body>\"\n      correo=\"$correo&lt;\/html>\"\n\n\n      {\n\techo FROM: ataques@siua.ac.cr\n\techo To: ataques@siua.ac.cr\n\techo MIME-Version: \"1.0\"\n\techo Content-Type: \"text\/html\"\n\techo Subject:\"fail2ban Ataque $servidor_atacado\/$ip_ban\"\n\techo $correo\n\t} | sendmail -v ataques@siua.ac.cr\n\n\n\n      exit\n    else\n      printf \"La IP NO se agrego correctamente por favor verifiquela!!\\n\\n\"\n      echo \"Problema al agregar IP: $ip_ban\" | mail -s \"&#91;ERROR_AB_$servidor_atacado]: $ip_ban\" interuniversitariadealajuela@gmail.com\n      exit\n    fi\n\nfi<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Ahora de damos permisos de ejecuci\u00f3n<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod 777 \/etc\/fail2ban\/agrega_ip_blacklist-ugit.sh<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Aqu\u00ed puede probar ejecutando<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/etc\/fail2ban\/agrega_ip_blacklist-ugit.sh 124.7.227.107<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Personalizamos el mensaje de banned<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Abrimos el archivo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/action.d\/sendmail-whois.conf <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Vamos a la secci\u00f3n de actions y veamos que tenemos<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Lo dejamos as\u00ed:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>            Hola UGIT,\\n\n            **************************************************\n            La IP &lt;ip> ha sido baneada por Fail2ban despues de:\n            &lt;failures> intentos fallidos por &lt;name>.\\n\\n\n            **************************************************\n            Aqui hay mas informacion acerca de la ip: &lt;ip> :\\n\n            `\/usr\/bin\/whois &lt;ip> || echo missing whois program`\\n\n            Saludos,\\n\n            UGIT\" | \/usr\/sbin\/sendmail -f &lt;sender> &lt;dest><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Reiniciamos el servicio<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>service fail2ban restart<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Si deseamos&nbsp;consultar el tiempo de una acci\u00f3n (Por defecto 60 segundos)<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>fail2ban-client get sshd action ip-to-blacklist-ugit timeout<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Lo modificamos a 300 segundos<\/strong><\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>fail2ban-client set sshd action ip-to-blacklist-ugit timeout 300<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Si fuera necesario personalizamos el asunto de los dem\u00e1s correos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/etc\/fail2ban\/action.d\/<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Abrimos<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano sendmail-whois-ipjailmatches.conf\nnano sendmail-whois-ipmatches.conf\nnano sendmail-whois-lines.conf\nnano sendmail-whois-matches.conf\nnano sendmail-whois.conf \nnano sendmail.conf\nnano sendmail-buffered.conf\nnano sendmail-common.conf\nnano sendmail-geoip-lines.conf\nnano mail.conf\nnano mail-whois.conf\nnano mail-whois-lines.conf\nnano mail-buffered.conf <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Y modificamos&nbsp;<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Fail2Ban]\nX\n&#91;fail2ban_CORREO]<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Reiniciamos el servicio<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>service fail2ban restart<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Si desea ver la cola<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>tail -f \/var\/log\/fail2ban.log <\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Esta gu\u00eda explica las medidas de seguridad implementadas en servidor debian 10 con zimbra Paso#01: Dependencias Instalamos ciertas dependencias PASO#02: prueba de correo para comprobar que podemos enviar un correo desde la terminal, con el usuario root hacemos Paso#03: RKhunter Descargamos el programa: rkhunter-1.4.6.tar.gz Instalamos rkhunter&nbsp;que es un esc\u00e1ner que analiza y busca en nuestro [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[236],"tags":[242,237],"class_list":["post-3899","post","type-post","status-publish","format-standard","hentry","category-zimbra","tag-seguridad","tag-zimbra-8"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[],"version":6}},"_links":{"self":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/3899","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3899"}],"version-history":[{"count":20,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/3899\/revisions"}],"predecessor-version":[{"id":3921,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/3899\/revisions\/3921"}],"wp:attachment":[{"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3899"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}