search

RainLoop / rainloop-webmail

Simple, modern & fast web-based email client
http://rainloop.net
MIT License
4.1k stars 889 forks source link

Rainloop fail2ban #1580

Open janarzz opened 6 years ago

janarzz commented 6 years ago

Hey, anybody knows how to get rainloop work on fail2ban ?

extremeshok commented 6 years ago

/PATH-TO-RAINLOOP-DATA-FOLDER/..../application.ini

[logs]
auth_logging = On
auth_logging_filename = "fail2ban/auth-{date:Y-m-d}.txt"
auth_logging_format = "Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"

/etc/fail2ban/filter.d/rainloop.conf

[Definition]
failregex = : Auth failed: ip=<HOST> user=.* host=.* port=.*$
ignoreregex =

/etc/fail2ban/jail.local

[rainloop]
enabled = true
banaction = iptables-multiport
filter = rainloop
port = http,https
logpath = /PATH-TO-RAINLOOP-DATA-FOLDER/_default_/logs/fail2ban/auth-*.txt
maxretry = 5
findtime = 1500
bantime = 3600
janarzz commented 6 years ago

This solution not worked for me.

ervee commented 6 years ago

When fail2ban starts, I see it mentioning the existing auth-*.txt files. But does fail2ban pick up new files as they are created by date by RainLoop?

janarzz commented 6 years ago

When i using Roundcube Webmail, then fail2ban works great..

janarzz commented 6 years ago

Hey, Is there a solution found for Rainloop fail2ban ?

ervee commented 6 years ago

@RainLoop, would it be possible to patch RainLoop to produce only one logfile instead of one for every date? Let it create an empty logfile when not found (for example check on every successful admin login because RainLoop must be accessed by an admin to setup) so fail2ban can pick it up and "tail" it.

drpetersen commented 5 years ago

@ervee Sorry to "necropost", but there are a couple of still open issues here which I stumbled upon looking for a solution with fail2ban, and they seem to be related to the same problem. The name of the log file can be configured in RainLoop's ../data/..../application.ini file, as shown here. So you could simply set it to a constant file name like so:

[logs]
auth_logging = On
auth_logging_filename = "fail2ban/auth-fail.log"
auth_logging_format = "Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"

Also see here and here: In your fail2ban jail config, you need to set a findtime high enough so that the gap between UTC (expected by fail2ban) and local time (logged by RainLoop) is covered, probably plus some margin. 1500 won't do, unless you happen to live in the right place in the right (summer or winter, that is) time.

sadsfae commented 5 years ago

I'd be interested in getting this working, has anyone else made any progress? It'd be great to see this show up officially in the fail2ban packaging configuration files.

txtsd commented 5 years ago

Posting here to keep an eye on this.

revnil commented 5 years ago

extremeshok's configuration posted above worked for me.

enriluis commented 5 years ago

i have a litte different.. my rainloop web mail are behind haproxy.. haproxy is sending x-forwared-for fine.... in apache logs i see the real client ip.... but in rainloop auth logs enable i see the haproxy ip.. i need the workaround to see the real client ip helpme please...

bugz8unny69 commented 5 years ago

Hey there,

It would probably be better, purchase a standard license or E-Mail rainloop directly?

mnotgninnep commented 5 years ago

I know this is old but I did a few tweaks and made this work right.

/...path to rainloop.../rainloop/data/data/default/configs/application.ini

auth_logging = On
auth_logging_filename = "fail2ban/auth-fail.txt"
auth_logging_format = "[{date:Y-m-d H:i:s T}] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"

The T in the time formatting inserts the timezone which fail2ban uses to correct for the time difference recorded. The fail2ban log will still record GMT but if you look in /var/log/fail2ban.log, it will now convert it and record the correct time.

/etc/fail2ban/filter.d/rainloop.conf

[Definition]
failregex = Auth failed: ip=<HOST> user=.* host=.* port=.*$
ignoreregex =

/etc/fail2ban/jail.local

[rainloop]
enabled = true
port = http,https
logpath = /var/www/rainloop/data/_data_/_default_/logs/fail2ban/auth-fail.txt

I omitted the other properties above as I wanted it to use my defaults.

redSTORM000 commented 4 years ago

i Found solution here: https://terminal.ovh/2020/08/fail2ban-does-not-pick-up-new-logfiles-created-every-day/

khimaros commented 3 years ago

note that this will not work well if rainloop is behind a reverse proxy due to https://github.com/RainLoop/rainloop-webmail/issues/1849

ion-lane commented 3 years ago

I am having the same problem. fail2ban-regex finds a match in the log, but fail2ban does not. Found a solution here https://blogvomjens.wordpress.com/2016/06/03/fail2ban-und-rainloop/comment-page-1 In application.ini you need to set your timezone to time_offset =

khimaros commented 3 years ago

this workaround should also work for the reverse proxy case mentioned above: https://github.com/RainLoop/rainloop-webmail/issues/1849#issuecomment-742718083

phatlix commented 2 years ago

I am wondering if someone could straighten me out? I know this thread is old, and I apologize for beating this horse.

I am running into a case where my filtered <HOST> match is grabbing the host={imap:host} instead of the ip={request:ip}. I have tried so many regex variants and even dropping everything after it first hits the ip={request:ip} match. But it still manages to read in the host={imap:host}.

Is this fixable? Just to clarify the issue... for me, the host={imap:host} in the log is my mailserver hosting rainloop. So it will always be the same IP (and my f2b is set to ignoreself = true).

Thank you for any insight!

frogmaker commented 2 years ago

Hi! @phatlix Could you please show me your f2b and rainloop logs, when you try to log in with wrong password form different device? I will try to help you.