1

Topic: Protecting iRedAdmin with Fail2Ban

Hi,

Does anyone have an idea how to protect iRedAdmin with Fail2Ban? I do not know how to protect something in Fail2Ban that logs to a database instead of a file.

The one option can think of is using a htpasswd file before getting to the iRedAdmin login page as these attempts can be logged in a file.

"iRedAdmin" must to be listed as an Apache alias somewhere but couldn't find where. Finding this file I think is first step towards protecting iRedAdmin with Fail2Ban. At the very least could change the "iRedAdmin" alias to make the login page a little harder to find.

The iRedAdmin files are here:

-on RHEL/CentOS, it's /var/www/iredadmin/settings.py.
-on Debian/Ubuntu, it's /opt/www/iredadmin/settings.py (in recent iRedMail releases) or /usr/share/apache2/iredadmin/settings.py (in old iRedMail releases).
-on FreeBSD, it's /usr/local/www/iredadmin/settings.py.
-on OpenBSD, it's /var/www/iredadmin/settings.py.

Does anyone have any suggestions or anything to add or another way to use Fail2Ban with iRedAdmin?

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.4
- Linux/BSD distribution name and version: Ubuntu 14 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue: NA
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Protecting iRedAdmin with Fail2Ban

schnappi wrote:

"iRedAdmin" must to be listed as an Apache alias somewhere but couldn't find where.

With Apache on Ubuntu, it's /etc/apache2/conf-available/iredadmin.conf and /etc/apache2/sites-enabled/default-ssl.conf.

To restrict global admin to login from specified IP addresses/network, you can also add setting 'GLOBAL_ADMIN_IP_LIST =' in iRedAdmin-Pro config file. for example:

GLOBAL_ADMIN_IP_LIST = ['192.168.1.1', '172.16.0.0/8']

Note: this setting restricts only global domain admin, not normal domain admin.

3 (edited by schnappi 2016-04-22 09:55:10)

Re: Protecting iRedAdmin with Fail2Ban

Adding:

<Directory /usr/share/apache2/iredadmin/>
    Order deny,allow
    Deny from all
    Allow from YOUR IP HERE
</Directory>

to /etc/apache2/conf-available/iredadmin.conf

works perfectly.

Question. Have always wondered. Does one need to add a statement such as this to both the HTTP and HTTPS .conf file? It has always seemed to me that adding something like the above to the HTTP .conf file is sufficient to also prevent access to a directory via HTTPS. (Basically in this instance added the above to /etc/apache2/conf-available/iredadmin.conf but didn't touch default-ssl.conf).

4

Re: Protecting iRedAdmin with Fail2Ban

HTTPS is required for web applications which contain sensitive data.

/etc/apache2/conf-available/iredadmin.conf contains ACL and other settings, but the URL routing is defined in HTTPS config file, so you can access iredadmin via only https.

5

Re: Protecting iRedAdmin with Fail2Ban

Thanks for the response. Let me rephrase. In Apache there are separate .conf files for HTTP (port 80) and HTTPS (SSL, port 43).

When one puts something such as the below:

<Directory /usr/share/apache2/iredadmin/>
    Order deny,allow
    Deny from all
    Allow from YOUR IP HERE
</Directory>

Into the HTTP .conf file does the restrictions also apply to HTTPS (port 443) connections even though it is only listed in the HTTP (port 80) .conf file?

6

Re: Protecting iRedAdmin with Fail2Ban

You're correct.