1 (edited by wynniphuu 2016-10-18 17:35:25)

Topic: Fail2ban sogo doesn't work

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

Fail2ban for SOGo doesn't work.
I can see a lot of attemps for localhost. Localhost (127.0.0.1) is under ignoreip. Is this right?

See my /var/log/sogo/sogo.log file:

Oct 18 08:39:40 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Oct 18 08:39:40 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.035 - - 2M
Oct 18 08:39:43 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Oct 18 08:39:43 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.008 - - 0
Oct 18 08:39:46 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Oct 18 08:39:46 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.009 - - 0
Oct 18 08:39:48 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Oct 18 08:39:48 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.007 - - 0
Oct 18 08:39:49 sogod [13814]: <0x0x7fc693b77420[SOGoActiveSyncDispatcher]> Sleeping 30 seconds while detecting changes in Ping...
Oct 18 08:39:50 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Oct 18 08:39:50 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.007 - - 0
Oct 18 08:39:54 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Oct 18 08:39:54 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.010 - - 0
Oct 18 08:39:55 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Oct 18 08:39:55 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.009 - - 0


my /etc/fail2ban/jail.local file

[DEFAULT]
# time is in seconds. 3600 = 1 hour, 86400 = 24 hours (1 day)
findtime    = 3600
bantime     = 86400
maxretry    = 5
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 46.101.59.197

[sshd]
enabled     = true
filter      = sshd
action      = iptables-multiport[name=sshd, port="2828", protocol=tcp]
logpath     = /var/log/auth.log

[sshd-ddos]
enabled     = true
filter      = sshd-ddos
action      = iptables-multiport[name=sshd-ddos, port="2828", protocol=tcp]
logpath     = /var/log/auth.log

[roundcube-iredmail]
enabled     = true
filter      = roundcube.iredmail
action      = iptables-multiport[name=roundcube, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/mail.log
findtime    = 3600

[dovecot-iredmail]
enabled     = true
filter      = dovecot.iredmail
action      = iptables-multiport[name=dovecot, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/dovecot.log

[postfix-iredmail]
enabled     = true
filter      = postfix.iredmail
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
#              sendmail[name=Postfix, dest=root, sender=fail2ban@localhost]
logpath     = /var/log/mail.log

[sogo-iredmail]
enabled     = true
filter      = sogo-auth
action      = iptables-multiport[name=sogo, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/sogo/sogo.log


my filter file on /etc/fail2ban/filter.d/sogo-auth.conf:

[Definition]

failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>' for user '.*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$
ignoreregex =


The output of fail2ban-regex:

fail2ban-regex /var/log/sogo/sogo.log /etc/fail2ban/filter.d/sogo-auth.conf

Use   failregex file : /etc/fail2ban/filter.d/sogo-auth.conf
Use         log file : /var/log/sogo/sogo.log


Results
=======

Failregex: 16 total
|-  #) [# of hits] regular expression
|   1) [16] ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>' for user '.*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [198] MONTH Day Hour:Minute:Second
`-

Lines: 198 lines, 0 ignored, 8 matched, 190 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 190 lines


Have you any ideas?
wynni

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Fail2ban sogo doesn't work

Do you have X-Real-IP header in Nginx (/etc/nginx/templates/sogo.tmpl)?

location ^~ /SOGo {
    ...
    proxy_set_header X-Real-IP $remote_addr;
    ...
}

3

Re: Fail2ban sogo doesn't work

I commed out this line and restarted the nginx service, but it doesn't help. Its always the same.
Have a look at my logfile:


Oct 18 15:45:32 sogod [24161]: SOGoRootPage Login from 'localhost' for user 'sdfsd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Oct 18 15:45:32 sogod [24161]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/62 0.021 - - 0
Oct 18 15:45:39 sogod [24161]: SOGoRootPage Login from 'localhost' for user 'sdfsd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Oct 18 15:45:39 sogod [24161]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/62 0.011 - - 0

4

Re: Fail2ban sogo doesn't work

You need this part also:
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

You can close the topic!
thanks

wynni

5

Re: Fail2ban sogo doesn't work

We have them both in default iRedMail settings. I'm sorry that i didn't paste full settings for your reference. You can find it here:
https://bitbucket.org/zhb/iredmail/src/ … go.tmpl-20