Fail2ban and login_trusted_networks
Hi there.
First of all many thanks to all the people involved in this project for their time, I really appreciate it.
Second my use case:
a) Container running Webmail (roundcube) with dovecot-ident plugin enabled https://github.com/roundcube/roundcubemail/issues/5336#issuecomment-22813107... . b) Container running Dovecot 2.3.4.1 (docker-mailserver-mysql https://github.com/Kedu-SCCL/docker-mailserver-mysql) with fail2ban enabled
Since I need to add the private IP address of the webmail to "login_trusted_networks" to "...allow to override their IP addresses and ports" I can keep login to webmail even though if the IP is blocked.
Question: there's any way to:
a) Allow a certain IP range to override it's IP address and ports (as in "login_trusted_networks") but b) Be blocked, as any other incoming connections, by fail2ban?
More context. Once the public IP is banned (8.8.8.8 in this example):
2020-12-21 10:10:31,371 fail2ban.filter [309]: INFO [dovecot]
Found 8.8.8.8 - 2020-12-21 10:10:31
2020-12-21 10:10:39,189 fail2ban.filter [309]: INFO [dovecot]
Found 8.8.8.8 - 2020-12-21 10:10:39
2020-12-21 10:10:51,222 fail2ban.filter [309]: INFO [dovecot]
Found 8.8.8.8 - 2020-12-21 10:10:51
2020-12-21 10:10:52,008 fail2ban.actions [309]: NOTICE [dovecot]
Ban 8.8.8.8
I can't reach dovecot by telnet from this public IP:
telnet mail.example.com 143
Trying 9.9.9...
telnet: Unable to connect to remote host: Connection refused
Unless I removed the ban:
docker exec mail fail2ban-client set dovecot unbanip 8.8.8.8
Many thanks.
Javier
Hi,
Ideally the webmail has it's own logfile, where it also emits error messages containing the ip-address of the failed login attempt. This could be as simple as a HTTP 401 error in the nginx/apache logfile on the webmail domain. You can then instruct fail2ban to read that logfile and disallow access to the webmail for the ip address.
In the end, the attempts try to access the webmail, and not the IMAP server directly. So it's better to block access to the webmail/web server.
Kind regards, Tom
On 21-12-2020 11:16, Javi Legido wrote:
Hi there.
First of all many thanks to all the people involved in this project for their time, I really appreciate it.
Second my use case:
a) Container running Webmail (roundcube) with dovecot-ident plugin enabled https://github.com/roundcube/roundcubemail/issues/5336#issuecomment-22813107.... b) Container running Dovecot 2.3.4.1 (docker-mailserver-mysql https://github.com/Kedu-SCCL/docker-mailserver-mysql) with fail2ban enabled
Since I need to add the private IP address of the webmail to "login_trusted_networks" to "...allow to override their IP addresses and ports" I can keep login to webmail even though if the IP is blocked.
Question: there's any way to:
a) Allow a certain IP range to override it's IP address and ports (as in "login_trusted_networks") but b) Be blocked, as any other incoming connections, by fail2ban?
More context. Once the public IP is banned (8.8.8.8 in this example):
2020-12-21 10:10:31,371 fail2ban.filter [309]: INFO [dovecot] Found 8.8.8.8 - 2020-12-21 10:10:31 2020-12-21 10:10:39,189 fail2ban.filter [309]: INFO [dovecot] Found 8.8.8.8 - 2020-12-21 10:10:39 2020-12-21 10:10:51,222 fail2ban.filter [309]: INFO [dovecot] Found 8.8.8.8 - 2020-12-21 10:10:51 2020-12-21 10:10:52,008 fail2ban.actions [309]: NOTICE [dovecot] Ban 8.8.8.8I can't reach dovecot by telnet from this public IP:
telnet mail.example.com <http://mail.example.com> 143 Trying 9.9.9... telnet: Unable to connect to remote host: Connection refusedUnless I removed the ban:
docker exec mail fail2ban-client set dovecot unbanip 8.8.8.8Many thanks.
Javier
Dovecot can log client IP instead of connection IP, when webmail passes this information over using IMAP ID command, and webmail server has been added to login_trusted_networks.
The keywords used for this feature are
x-originating-ip x-originating-port x-connected-ip x-connected-port x-proxy-ttl (hop count)
Aki
On 21/12/2020 14:12 Tom Hendrikx tom@whyscream.net wrote:
Hi,
Ideally the webmail has it's own logfile, where it also emits error messages containing the ip-address of the failed login attempt. This could be as simple as a HTTP 401 error in the nginx/apache logfile on the webmail domain. You can then instruct fail2ban to read that logfile and disallow access to the webmail for the ip address.
In the end, the attempts try to access the webmail, and not the IMAP server directly. So it's better to block access to the webmail/web server.
Kind regards, Tom
On 21-12-2020 11:16, Javi Legido wrote:
Hi there.
First of all many thanks to all the people involved in this project for their time, I really appreciate it.
Second my use case:
a) Container running Webmail (roundcube) with dovecot-ident plugin enabled https://github.com/roundcube/roundcubemail/issues/5336#issuecomment-22813107.... b) Container running Dovecot 2.3.4.1 (docker-mailserver-mysql https://github.com/Kedu-SCCL/docker-mailserver-mysql) with fail2ban enabled
Since I need to add the private IP address of the webmail to "login_trusted_networks" to "...allow to override their IP addresses and ports" I can keep login to webmail even though if the IP is blocked.
Question: there's any way to:
a) Allow a certain IP range to override it's IP address and ports (as in "login_trusted_networks") but b) Be blocked, as any other incoming connections, by fail2ban?
More context. Once the public IP is banned (8.8.8.8 in this example):
2020-12-21 10:10:31,371 fail2ban.filter [309]: INFO [dovecot] Found 8.8.8.8 - 2020-12-21 10:10:31 2020-12-21 10:10:39,189 fail2ban.filter [309]: INFO [dovecot] Found 8.8.8.8 - 2020-12-21 10:10:39 2020-12-21 10:10:51,222 fail2ban.filter [309]: INFO [dovecot] Found 8.8.8.8 - 2020-12-21 10:10:51 2020-12-21 10:10:52,008 fail2ban.actions [309]: NOTICE [dovecot] Ban 8.8.8.8I can't reach dovecot by telnet from this public IP:
telnet mail.example.com <http://mail.example.com> 143 Trying 9.9.9... telnet: Unable to connect to remote host: Connection refusedUnless I removed the ban:
docker exec mail fail2ban-client set dovecot unbanip 8.8.8.8Many thanks.
Javier
Hi there.
Tom, thanks for your reply. Indeed webmail (roundcube) has its own mechanism for consecutive wrong logins, but I would like to have everything centralized in one place (fail2ban in the container running dovecot).
Aki, thanks for your reply. Everything is working as expected, webmail (roundcube) is sending the public IP address (8.8.8.8 in this example) to dovecot, which is logging it like:
Dec 21 13:33:50 mail dovecot: imap-login: Login: user=<user1@example.com>,
method=PLAIN, rip=8.8.8.8, lip=10.163.18.3, mpid=17151, TLS,
session=<oXIwgvm2fo9fF1Jz>
On Mon, 21 Dec 2020 at 13:20, Aki Tuomi aki.tuomi@open-xchange.com wrote:
Dovecot can log client IP instead of connection IP, when webmail passes this information over using IMAP
IDcommand, and webmail server has been added to login_trusted_networks.The keywords used for this feature are
x-originating-ip x-originating-port x-connected-ip x-connected-port x-proxy-ttl (hop count)
Aki
On 21/12/2020 14:12 Tom Hendrikx tom@whyscream.net wrote:
Hi,
Ideally the webmail has it's own logfile, where it also emits error messages containing the ip-address of the failed login attempt. This could be as simple as a HTTP 401 error in the nginx/apache logfile on the webmail domain. You can then instruct fail2ban to read that logfile and disallow access to the webmail for the ip address.
In the end, the attempts try to access the webmail, and not the IMAP server directly. So it's better to block access to the webmail/web server.
Kind regards, Tom
On 21-12-2020 11:16, Javi Legido wrote:
Hi there.
First of all many thanks to all the people involved in this project for their time, I really appreciate it.
Second my use case:
a) Container running Webmail (roundcube) with dovecot-ident plugin enabled < https://github.com/roundcube/roundcubemail/issues/5336#issuecomment-22813107... . b) Container running Dovecot 2.3.4.1 (docker-mailserver-mysql https://github.com/Kedu-SCCL/docker-mailserver-mysql) with fail2ban enabled
Since I need to add the private IP address of the webmail to "login_trusted_networks" to "...allow to override their IP addresses and ports" I can keep login to webmail even though if the IP is blocked.
Question: there's any way to:
a) Allow a certain IP range to override it's IP address and ports (as in "login_trusted_networks") but b) Be blocked, as any other incoming connections, by fail2ban?
More context. Once the public IP is banned (8.8.8.8 in this example):
2020-12-21 10:10:31,371 fail2ban.filter [309]: INFO [dovecot] Found 8.8.8.8 - 2020-12-21 10:10:31 2020-12-21 10:10:39,189 fail2ban.filter [309]: INFO [dovecot] Found 8.8.8.8 - 2020-12-21 10:10:39 2020-12-21 10:10:51,222 fail2ban.filter [309]: INFO [dovecot] Found 8.8.8.8 - 2020-12-21 10:10:51 2020-12-21 10:10:52,008 fail2ban.actions [309]: NOTICE [dovecot] Ban 8.8.8.8I can't reach dovecot by telnet from this public IP:
telnet mail.example.com <http://mail.example.com> 143 Trying 9.9.9... telnet: Unable to connect to remote host: Connection refusedUnless I removed the ban:
docker exec mail fail2ban-client set dovecot unbanip 8.8.8.8Many thanks.
Javier
participants (3)
-
Aki Tuomi
-
Javi Legido
-
Tom Hendrikx