Open JonnyFPV opened 1 year ago
What is soho? we dont officially have a collection to support mailcow (even thought it just a frontend to postfix + dovecot) so if we wanted too we could create a whitelist to ignore 403 response from /SOGo/so/passwordRecoveryEnabled
endpoint.
I mean Sogo yes. So, how can I configure it, to prevent bans on logins to sogo?
Or how can I support you for supporting mailcow/Sogo?
Well with the limited information you provided I can write an generic whitelist. Since its a FP on nginx side so there no need to parse mailcow logs.
That would be great if you write some whitelisting. Regards 👍
any progress? :-)
Here a WIP version
name: crowdsecurity/mailcow-sogo-whitelist
description: "Whitelist events from mailcow-sogo"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
reason: "Mailcow-SOGo Whitelist"
expression:
- evt.Meta.http_status == '403' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path == '/SOGo/so/passwordRecoveryEnabled'
However, I dont know how the application works so you could be whitelisting events from an endpoint you want to protect.
ok, thank you, the login is working fine now. But did this whitelisting now disable any Protection for this service?
Is it possible to whitelist this service or do I need to configure something?
Because if I try to login to soho I get banned.
Regards Jan
`################################################################################################
ID : 676
Date : 2023-03-19T17:49:13Z
Machine : localhost
Simulation : false
Reason : LePresidente/http-generic-403-bf
Events Count : 6
Scope:Value: Ip:80.187.XXX.XXX
Country : DE
AS : Deutsche Telekom AG
Begin : 2023-03-19 17:49:10.679182479 +0000 UTC
End : 2023-03-19 17:49:12.789377823 +0000 UTC
Events :
Date: 2023-03-19 18:49:10 +0100 +0100 +-----------------+-------------------------------------------------------+ | Key | Value | +-----------------+-------------------------------------------------------+ | ASNNumber | 3320 | +-----------------+-------------------------------------------------------+ | ASNOrg | Deutsche Telekom AG | +-----------------+-------------------------------------------------------+ | IsInEU | true | +-----------------+-------------------------------------------------------+ | IsoCode | DE | +-----------------+-------------------------------------------------------+ | SourceRange | 80.187.XXX.X/22 | +-----------------+-------------------------------------------------------+ | datasource_path | mailcowdockerized-nginx-mailcow-1 | +-----------------+-------------------------------------------------------+ | datasource_type | docker | +-----------------+-------------------------------------------------------+ | http_args_len | 0 | +-----------------+-------------------------------------------------------+ | http_path | /SOGo/so/passwordRecoveryEnabled | +-----------------+-------------------------------------------------------+ | http_status | 403 | +-----------------+-------------------------------------------------------+ | http_user_agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) | | | AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 | | | Safari/605.1.15 | +-----------------+-------------------------------------------------------+ | http_verb | POST | +-----------------+-------------------------------------------------------+ | log_type | http_access-log | +-----------------+-------------------------------------------------------+ | service | http | +-----------------+-------------------------------------------------------+ | source_ip | 80.187.XXXX.XXX | +-----------------+-------------------------------------------------------+ | timestamp | 2023-03-19T18:49:10+01:00 | +-----------------+-------------------------------------------------------+
Date: 2023-03-19 18:49:10 +0100 +0100 +-----------------+-------------------------------------------------------+ | Key | Value | +-----------------+-------------------------------------------------------+ | ASNNumber | 3320 | +-----------------+-------------------------------------------------------+ | ASNOrg | Deutsche Telekom AG | +-----------------+-------------------------------------------------------+ | IsInEU | true | +-----------------+-------------------------------------------------------+ | IsoCode | DE | +-----------------+-------------------------------------------------------+ | SourceRange | 80.187.XXX.X/22 | +-----------------+-------------------------------------------------------+ | datasource_path | mailcowdockerized-nginx-mailcow-1 | +-----------------+-------------------------------------------------------+ | datasource_type | docker | +-----------------+-------------------------------------------------------+ | http_args_len | 0 | +-----------------+-------------------------------------------------------+ | http_path | /SOGo/so/passwordRecoveryEnabled | +-----------------+-------------------------------------------------------+ | http_status | 403 | +-----------------+-------------------------------------------------------+ | http_user_agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) | | | AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 | | | Safari/605.1.15 | +-----------------+-------------------------------------------------------+ | http_verb | POST | +-----------------+-------------------------------------------------------+ | log_type | http_access-log | +-----------------+-------------------------------------------------------+ | service | http | +-----------------+-------------------------------------------------------+ | source_ip | 80.187.XXX.XXX | +-----------------+-------------------------------------------------------+ | timestamp | 2023-03-19T18:49:10+01:00 | +-----------------+-------------------------------------------------------+
Date: 2023-03-19 17:49:10 +0000 UTC +---------------------+--------------------------------------+ | Key | Value | +---------------------+--------------------------------------+ | ASNNumber | 3320 | +---------------------+--------------------------------------+ | ASNOrg | Deutsche Telekom AG | +---------------------+--------------------------------------+ | IsInEU | true | +---------------------+--------------------------------------+ | IsoCode | DE | +---------------------+--------------------------------------+ | SourceRange | 80.187.XXX.XXX/22 | +---------------------+--------------------------------------+ | datasource_path | /var/log/crowdsec/traefik/access.log | +---------------------+--------------------------------------+ | datasource_type | file | +---------------------+--------------------------------------+ | http_args_len | 0 | +---------------------+--------------------------------------+ | http_path | /SOGo/so/passwordRecoveryEnabled | +---------------------+--------------------------------------+ | http_status | 403 | +---------------------+--------------------------------------+ | http_verb | POST | +---------------------+--------------------------------------+ | log_type | http_access-log | +---------------------+--------------------------------------+ | service | http | +---------------------+--------------------------------------+ | source_ip | 80.187.XXX.XXX | +---------------------+--------------------------------------+ | timestamp | 2023-03-19T17:49:10Z | +---------------------+--------------------------------------+ | traefik_router_name | nginx-mailcow-secure@docker | +---------------------+--------------------------------------+ | user | - | +---------------------+--------------------------------------+
Date: 2023-03-19 17:49:10 +0000 UTC +---------------------+--------------------------------------+ | Key | Value | +---------------------+--------------------------------------+ | ASNNumber | 3320 | +---------------------+--------------------------------------+ | ASNOrg | Deutsche Telekom AG | +---------------------+--------------------------------------+ | IsInEU | true | +---------------------+--------------------------------------+ | IsoCode | DE | +---------------------+--------------------------------------+ | SourceRange | 80.187.XXX.XXX/22 | +---------------------+--------------------------------------+ | datasource_path | /var/log/crowdsec/traefik/access.log | +---------------------+--------------------------------------+ | datasource_type | file | +---------------------+--------------------------------------+ | http_args_len | 0 | +---------------------+--------------------------------------+ | http_path | /SOGo/so/passwordRecoveryEnabled | +---------------------+--------------------------------------+ | http_status | 403 | +---------------------+--------------------------------------+ | http_verb | POST | +---------------------+--------------------------------------+ | log_type | http_access-log | +---------------------+--------------------------------------+ | service | http | +---------------------+--------------------------------------+ | source_ip | 80.187.XXX.XXX | +---------------------+--------------------------------------+ | timestamp | 2023-03-19T17:49:10Z | +---------------------+--------------------------------------+ | traefik_router_name | nginx-mailcow-secure@docker | +---------------------+--------------------------------------+ | user | - | +---------------------+--------------------------------------+
Date: 2023-03-19 18:49:12 +0100 +0100 +-----------------+-------------------------------------------------------+ | Key | Value | +-----------------+-------------------------------------------------------+ | ASNNumber | 3320 | +-----------------+-------------------------------------------------------+ | ASNOrg | Deutsche Telekom AG | +-----------------+-------------------------------------------------------+ | IsInEU | true | +-----------------+-------------------------------------------------------+ | IsoCode | DE | +-----------------+-------------------------------------------------------+ | SourceRange | 80.187.XXX.X/22 | +-----------------+-------------------------------------------------------+ | datasource_path | mailcowdockerized-nginx-mailcow-1 | +-----------------+-------------------------------------------------------+ | datasource_type | docker | +-----------------+-------------------------------------------------------+ | http_args_len | 0 | +-----------------+-------------------------------------------------------+ | http_path | /SOGo/so/passwordRecoveryEnabled | +-----------------+-------------------------------------------------------+ | http_status | 403 | +-----------------+-------------------------------------------------------+ | http_user_agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) | | | AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 | | | Safari/605.1.15 | +-----------------+-------------------------------------------------------+ | http_verb | POST | +-----------------+-------------------------------------------------------+ | log_type | http_access-log | +-----------------+-------------------------------------------------------+ | service | http | +-----------------+-------------------------------------------------------+ | source_ip | 80.187.114.XXX | +-----------------+-------------------------------------------------------+ | timestamp | 2023-03-19T18:49:12+01:00 | +-----------------+-------------------------------------------------------+
Date: 2023-03-19 17:49:12 +0000 UTC +---------------------+--------------------------------------+ | Key | Value | +---------------------+--------------------------------------+ | ASNNumber | 3320 | +---------------------+--------------------------------------+ | ASNOrg | Deutsche Telekom AG | +---------------------+--------------------------------------+ | IsInEU | true | +---------------------+--------------------------------------+ | IsoCode | DE | +---------------------+--------------------------------------+ | SourceRange | 80.187.XXX.XXX/22 | +---------------------+--------------------------------------+ | datasource_path | /var/log/crowdsec/traefik/access.log | +---------------------+--------------------------------------+ | datasource_type | file | +---------------------+--------------------------------------+ | http_args_len | 0 | +---------------------+--------------------------------------+ | http_path | /SOGo/so/passwordRecoveryEnabled | +---------------------+--------------------------------------+ | http_status | 403 | +---------------------+--------------------------------------+ | http_verb | POST | +---------------------+--------------------------------------+ | log_type | http_access-log | +---------------------+--------------------------------------+ | service | http | +---------------------+--------------------------------------+ | source_ip | 80.187.XXX.XXX | +---------------------+--------------------------------------+ | timestamp | 2023-03-19T17:49:12Z | +---------------------+--------------------------------------+ | traefik_router_name | nginx-mailcow-secure@docker | +---------------------+--------------------------------------+ | user | - | +---------------------+--------------------------------------+`