1

Topic: Fail2ban filter and settings to secure outgoing OpenLDAP

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.8.7
- Linux/BSD distribution name and version: Ubuntu 14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

Hi!

I use the LDAP installed and configured by iRedMail as a single sign on system for example for my ownCloud. Now I want to move the cloud to another server but want to keep the ability of the SSO. Therefore I want to open the settings of the iptables (/etc/default/iptables). But I'm affraid that this port and so OpenLDAP might be attacked. Could someone maybe tell me the correct settings and filter settings for Fail2ban to secure OpenLDAP?

Thanks in advance!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Fail2ban filter and settings to secure outgoing OpenLDAP

Hello!
We also have iRedMail with LDAP backend and use it as SSO for owncloud and some other apps. I think it's better to allow only specific server - in this case owncloud - to connect to you iRedMail LDAP port, not open it publicly.
In iptables you can do it like this:
-A INPUT -p tcp -s {{ owncloud_server }} --dport 389 -j ACCEPT

Also in LDAP client on owncloud setup secure starttls connection, so data transfer is encrypted.

Hope it helps and if you have any other questions, don't hesitate to ask.

3 (edited by alex42 2016-09-24 19:04:41)

Re: Fail2ban filter and settings to secure outgoing OpenLDAP

Your are right, that seems to be better. Do I have to replace owncloud_server with the IP of the server?

And how do I activate STARTTLS in the LDAP settings of owncloud? (I've just seen a checkup where I can deactivate the SSL check)

4 (edited by alex42 2016-09-24 19:09:32)

Re: Fail2ban filter and settings to secure outgoing OpenLDAP

Ok found out that the iptables entry has to look like this


-A INPUT -p tcp -s owncloud.server.ip.address --dport 389 -j ACCEPT

But how can I force ownCloud to use StartTLS?

5

Re: Fail2ban filter and settings to secure outgoing OpenLDAP

alex42 wrote:

But how can I force ownCloud to use StartTLS?

I didn't see OpenLDAP offers option to FORCE TLS connection through port 389, but you should be able to set this in ownCloud config file.

== UPDATE ==
According to owncloud doc, i suppose with port 389 and leave option "Turn off SSL certificate validation" UNCHECKED should be ok:
https://doc.owncloud.org/server/9.1/adm … _ldap.html

You can turn on debug mode in OpenLDAP first, then login to ownCloud. OpenLDAP will log whether it's a secure connection. Or maybe ownCloud logs something about secure connection somewhere?

6

Re: Fail2ban filter and settings to secure outgoing OpenLDAP

Thanks a lot for yours reply! Will test this!