簡介
本文檔介紹在思科郵件安全裝置(ESA)上收到的「可能的目錄蒐集攻擊」錯誤消息。
「檢測到潛在的目錄蒐集攻擊」警告消息意味著什麼?
ESA管理員收到以下目錄蒐集攻擊防禦(DHAP)警告消息:
The Warning message is:
Potential Directory Harvest Attack detected. See the system mail logs for more
information about this attack.
Version: 8.0.1-023
Serial Number: XXBAD1112DYY-008X011
Timestamp: 22 Sep 2014 21:21:32 -0600
這些警示會被視為參考性的警示,您不需要採取任何動作。外部郵件伺服器嘗試了太多的無效收件人,並觸發了DHAP(目錄蒐集攻擊防禦)警報。ESA根據郵件策略配置執行配置。
這是監聽器每小時從遠端主機接收的無效收件者數目上限。此閾值表示RAT拒絕和SMTP Call-Ahead伺服器拒絕的總數,以及傳送到SMTP會話中丟棄或工作隊列中退回的無效LDAP收件人的郵件總數(如相關偵聽程式的LDAP接受設定中所配置)。有關為LDAP接受查詢配置DHAP的詳細資訊,請參閱郵件安全使用手冊中的「LDAP查詢」一章。
如果不想收到這些警報,可以使用alertconfig調整警報配置檔案,以篩選這些警報:
myesa.local> alertconfig
Sending alerts to:
robert@domain.com
Class: All - Severities: All
Initial number of seconds to wait before sending a duplicate alert: 300
Maximum number of seconds to wait before sending a duplicate alert: 3600
Maximum number of alerts stored in the system are: 50
Alerts will be sent using the system-default From Address.
Cisco IronPort AutoSupport: Enabled
You will receive a copy of the weekly AutoSupport reports.
Choose the operation you want to perform:
- NEW - Add a new email address to send alerts.
- EDIT - Modify alert subscription for an email address.
- DELETE - Remove an email address.
- CLEAR - Remove all email addresses (disable alerts).
- SETUP - Configure alert settings.
- FROM - Configure the From Address of alert emails.
[]> edit
Please select the email address to edit.
1. robert@domain.com (all)
[]> 1
Choose the Alert Class to modify for "robert@domain.com".
Press Enter to return to alertconfig.
1. All - Severities: All
2. System - Severities: All
3. Hardware - Severities: All
4. Updater - Severities: All
5. Outbreak Filters - Severities: All
6. Anti-Virus - Severities: All
7. Anti-Spam - Severities: All
8. Directory Harvest Attack Prevention - Severities: All
或者從GUI System Administration > Alerts > Recipient Address修改嚴重性所接收的警報,或者完整修改警報。
GUI
要從GUI檢視您的DHAP配置引數,請點選郵件策略>郵件流策略>,然後點選要編輯的策略名稱,或者預設策略引數>,並根據需要更改郵件流限制/目錄蒐集攻擊防禦(DHAP)部分:
提交並提交對GUI所做的更改。
CLI
要從CLI檢視您的DHAP配置引數,請使用listenerconfig > edit(選擇要編輯的監聽程式編號) > hostaccess > default來編輯DHAP設定:
Default Policy Parameters
==========================
Maximum Message Size: 10M
Maximum Number Of Concurrent Connections From A Single IP: 10
Maximum Number Of Messages Per Connection: 10
Maximum Number Of Recipients Per Message: 50
Directory Harvest Attack Prevention: Enabled
Maximum Number Of Invalid Recipients Per Hour: 25
Maximum Number Of Recipients Per Hour: Disabled
Maximum Number of Recipients per Envelope Sender: Disabled
Use SenderBase for Flow Control: Yes
Spam Detection Enabled: Yes
Virus Detection Enabled: Yes
Allow TLS Connections: No
Allow SMTP Authentication: No
Require TLS To Offer SMTP authentication: No
DKIM/DomainKeys Signing Enabled: No
DKIM Verification Enabled: No
SPF/SIDF Verification Enabled: No
DMARC Verification Enabled: No
Envelope Sender DNS Verification Enabled: No
Domain Exception Table Enabled: No
Accept untagged bounces: No
There are currently 5 policies defined.
There are currently 8 sender groups.
Choose the operation you want to perform:
- NEW - Create a new entry.
- EDIT - Modify an entry.
- DELETE - Remove an entry.
- MOVE - Move an entry.
- DEFAULT - Set the defaults.
- PRINT - Display the table.
- IMPORT - Import a table from a file.
- EXPORT - Export the table to a file.
- RESET - Remove senders and set policies to system default.
[]> default
Enter the default maximum message size. Add a trailing k for kilobytes, M for
megabytes, or no letter for bytes.
[10M]>
Enter the maximum number of concurrent connections allowed from a single
IP address.
[10]>
Enter the maximum number of messages per connection.
[10]>
Enter the maximum number of recipients per message.
[50]>
Do you want to override the hostname in the SMTP banner? [N]>
Would you like to specify a custom SMTP acceptance response? [N]>
Would you like to specify a custom SMTP rejection response? [N]>
Do you want to enable rate limiting per host? [N]>
Do you want to enable rate limiting per envelope sender? [N]>
Do you want to enable Directory Harvest Attack Prevention per host? [Y]>
Enter the maximum number of invalid recipients per hour from a remote host.
[25]>
Select an action to apply when a recipient is rejected due to DHAP:
1. Drop
2. Code
[1]>
Would you like to specify a custom SMTP DHAP response? [Y]>
Enter the SMTP code to use in the response. 550 is the standard code.
[550]>
Enter your custom SMTP response. Press Enter on a blank line to finish.
Would you like to use SenderBase for flow control by default? [Y]>
Would you like to enable anti-spam scanning? [Y]>
Would you like to enable anti-virus scanning? [Y]>
Do you want to allow encrypted TLS connections?
1. No
2. Preferred
3. Required
4. Preferred - Verify
5. Required - Verify
[1]>
Would you like to enable DKIM/DomainKeys signing? [N]>
Would you like to enable DKIM verification? [N]>
Would you like to change SPF/SIDF settings? [N]>
Would you like to enable DMARC verification? [N]>
Would you like to enable envelope sender verification? [N]>
Would you like to enable use of the domain exception table? [N]>
Do you wish to accept untagged bounces? [N]>
如果您進行任何更新或更改,請返回主CLI提示符並提交所有更改。
相關資訊