search

RainLoop / rainloop-webmail

Simple, modern & fast web-based email client
http://rainloop.net
MIT License
4.1k stars 886 forks source link

Fail2ban Rainloop Issues #1995

Open jlauzer11 opened 4 years ago

jlauzer11 commented 4 years ago

Hi All,

I have Fail2ban working with Dovecot, SSH, Apache, and Postfix. I'm not able to get this to work with Rainloop. It looks like everything is correct, it just does not block after the max attempts. Here are my settings:

sudo nano /var/www/html/webmail/data/data/default/configs/application.ini

Enable auth logging in a separate file (for fail2ban)
auth_logging = On
auth_logging_filename = "fail2ban/auth.log"
auth_logging_format = "Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"

sudo nano /etc/fail2ban/filter.d/rainloop.conf

[Definition]
failregex = : Auth failed: ip=<HOST> user=.* host=.* port=.*
ignoreregex =

sudo nano /etc/fail2ban/jail.local

[rainloop]
enabled = true
banaction = iptables-multiport
filter = rainloop
port = http,https,imap
logpath = /var/www/html/webmail/data/_data_/_default_/logs/fail2ban/auth.log
maxretry = 5
findtime = 1500
bantime = 3600

sudo nano /var/www/html/webmail/data/data/default/logs/fail2ban/auth.log

Auth failed: ip=192.168.1.105 user=jason@domain.com host=domain.com port=993
Auth failed: ip=192.168.1.105 user=jason@domain.com host=domain.com port=993
Auth failed: ip=192.168.1.105 user=jason@domain.com host=domain.com port=993
Auth failed: ip=192.168.1.105 user=jason@domain.com host=domain.com port=993
Auth failed: ip=192.168.1.69 user=jason@domain.com host=domain.com port=993
Auth failed: ip=192.168.1.69 user=jason@domain.com host=domain.com port=993
Auth failed: ip=192.168.1.69 user=jason@domain.com host=domain.com port=993

sudo fail2ban-client -i

fail2ban> status
Status
|- Number of jail:      5
`- Jail list:   apache-badbots, dovecot, postfix-sasl, rainloop, sshd
fail2ban> status rainloop
Status for the jail: rainloop
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/www/html/webmail/data/_data_/_default_/logs/fail2ban/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Any thoughts on what might be wrong in my configuration?

Globulino commented 4 years ago

Just a guess: the timestamp is missing.

; Enable auth logging in a separate file (for fail2ban) auth_logging = Off auth_logging_filename = "fail2ban/auth-{date:Y-m-d}.txt" auth_logging_format = "[{date:Y-m-d H:i:s}] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"

koratfood commented 4 years ago

Timestamp is indeed missing. Also, on my system (Ubuntu 18.04), I had to add a static "+0000" UTC offset value to the logging format before fail2ban would parse it. Rainloop as of 1.14.0 only prints timestamps without any offset in its logs, so unless your system is running in the UTC/GMT time zone, you may need this anyway.

grep "auth_logging_format" /var/www/rainloop/data/data/default/configs/application.ini

auth_logging_format = "[{date:Y-m-d H:i:s} +0000] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"

tail -n1 /var/www/rainloop/data/data/default/logs/fail2ban/auth.log

[2020-06-15 13:36:04 +0000] Auth failed: ip=1.2.3.4 user=testfail host=domain.com port=imap

grep "1\.2\.3\.4" /var/log/fail2ban.log

2020-06-15 15:36:05,042 fail2ban.filter         [684]: INFO    [rainloop] Found 1.2.3.4 - 2020-06-15 15:36:04