Fail2ban and login_trusted_networks

Tom Hendrikx tom at whyscream.net
Mon Dec 21 14:12:51 EET 2020 

Hi,

Ideally the webmail has it's own logfile, where it also emits error 
messages containing the ip-address of the failed login attempt. This 
could be as simple as a HTTP 401 error in the nginx/apache logfile on 
the webmail domain. You can then instruct fail2ban to read that logfile 
and disallow access to the webmail for the ip address.

In the end, the attempts try to access the webmail, and not the IMAP 
server directly. So it's better to block access to the webmail/web server.

Kind regards,
	Tom

On 21-12-2020 11:16, Javi Legido wrote:
> Hi there.
> 
> First of all many thanks to all the people involved in this project for 
> their time, I really appreciate it.
> 
> Second my use case:
> 
> a) Container running Webmail (roundcube) with dovecot-ident plugin 
> enabled 
> <https://github.com/roundcube/roundcubemail/issues/5336#issuecomment-228131074>.
> b) Container running Dovecot  2.3.4.1 (docker-mailserver-mysql 
> <https://github.com/Kedu-SCCL/docker-mailserver-mysql>) with fail2ban 
> enabled
> 
> Since I need to add the private IP address of the webmail to 
> "login_trusted_networks" to "...allow to override their IP addresses and 
> ports" I can keep login to webmail even though if the IP is blocked.
> 
> Question: there's any way to:
> 
> a) Allow a certain IP range to override it's IP address and ports (as in 
> "login_trusted_networks") but
> b) Be blocked, as any other incoming connections, by fail2ban?
> 
> More context. Once the public IP is banned (8.8.8.8 in this example):
> 
> ```
> 2020-12-21 10:10:31,371 fail2ban.filter         [309]: INFO    [dovecot] 
> Found 8.8.8.8 - 2020-12-21 10:10:31
> 2020-12-21 10:10:39,189 fail2ban.filter         [309]: INFO    [dovecot] 
> Found 8.8.8.8 - 2020-12-21 10:10:39
> 2020-12-21 10:10:51,222 fail2ban.filter         [309]: INFO    [dovecot] 
> Found 8.8.8.8 - 2020-12-21 10:10:51
> 2020-12-21 10:10:52,008 fail2ban.actions        [309]: NOTICE  [dovecot] 
> Ban 8.8.8.8
> ```
> 
> I can't reach dovecot by telnet from this public IP:
> 
> ```
> telnet mail.example.com <http://mail.example.com> 143
> Trying 9.9.9...
> telnet: Unable to connect to remote host: Connection refused
> ```
> 
> Unless I removed the ban:
> 
> ```
> docker exec mail fail2ban-client set dovecot unbanip 8.8.8.8
> ```
> 
> Many thanks.
> 
> Javier

More information about the dovecot mailing list