Open JonnyFPV opened 1 year ago
LaurenceJJones
commented
1 year ago What is soho? we dont officially have a collection to support mailcow (even thought it just a frontend to postfix + dovecot) so if we wanted too we could create a whitelist to ignore 403 response from /SOGo/so/passwordRecoveryEnabled endpoint.
JonnyFPV
commented
1 year ago I mean Sogo yes. So, how can I configure it, to prevent bans on logins to sogo?
Or how can I support you for supporting mailcow/Sogo?
LaurenceJJones
commented
1 year ago Well with the limited information you provided I can write an generic whitelist. Since its a FP on nginx side so there no need to parse mailcow logs.
JonnyFPV
commented
1 year ago That would be great if you write some whitelisting. Regards 👍
JonnyFPV
commented
1 year ago any progress? :-)
LaurenceJJones
commented
1 year ago Here a WIP version
name: crowdsecurity/mailcow-sogo-whitelist
description: "Whitelist events from mailcow-sogo"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
reason: "Mailcow-SOGo Whitelist"
expression:
- evt.Meta.http_status == '403' && evt.Meta.http_verb == 'POST' && evt.Meta.http_path == '/SOGo/so/passwordRecoveryEnabled'However, I dont know how the application works so you could be whitelisting events from an endpoint you want to protect.
JonnyFPV
commented
1 year ago ok, thank you, the login is working fine now. But did this whitelisting now disable any Protection for this service?
Is it possible to whitelist this service or do I need to configure something?
Because if I try to login to soho I get banned.
Regards Jan
`################################################################################################
ID : 676
Date : 2023-03-19T17:49:13Z
Machine : localhost
Simulation : false
Reason : LePresidente/http-generic-403-bf
Events Count : 6
Scope:Value: Ip:80.187.XXX.XXX
Country : DE
AS : Deutsche Telekom AG
Begin : 2023-03-19 17:49:10.679182479 +0000 UTC
End : 2023-03-19 17:49:12.789377823 +0000 UTC
Events :
Date: 2023-03-19 18:49:10 +0100 +0100 +-----------------+-------------------------------------------------------+ | Key | Value | +-----------------+-------------------------------------------------------+ | ASNNumber | 3320 | +-----------------+-------------------------------------------------------+ | ASNOrg | Deutsche Telekom AG | +-----------------+-------------------------------------------------------+ | IsInEU | true | +-----------------+-------------------------------------------------------+ | IsoCode | DE | +-----------------+-------------------------------------------------------+ | SourceRange | 80.187.XXX.X/22 | +-----------------+-------------------------------------------------------+ | datasource_path | mailcowdockerized-nginx-mailcow-1 | +-----------------+-------------------------------------------------------+ | datasource_type | docker | +-----------------+-------------------------------------------------------+ | http_args_len | 0 | +-----------------+-------------------------------------------------------+ | http_path | /SOGo/so/passwordRecoveryEnabled | +-----------------+-------------------------------------------------------+ | http_status | 403 | +-----------------+-------------------------------------------------------+ | http_user_agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) | | | AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 | | | Safari/605.1.15 | +-----------------+-------------------------------------------------------+ | http_verb | POST | +-----------------+-------------------------------------------------------+ | log_type | http_access-log | +-----------------+-------------------------------------------------------+ | service | http | +-----------------+-------------------------------------------------------+ | source_ip | 80.187.XXXX.XXX | +-----------------+-------------------------------------------------------+ | timestamp | 2023-03-19T18:49:10+01:00 | +-----------------+-------------------------------------------------------+
Date: 2023-03-19 18:49:10 +0100 +0100 +-----------------+-------------------------------------------------------+ | Key | Value | +-----------------+-------------------------------------------------------+ | ASNNumber | 3320 | +-----------------+-------------------------------------------------------+ | ASNOrg | Deutsche Telekom AG | +-----------------+-------------------------------------------------------+ | IsInEU | true | +-----------------+-------------------------------------------------------+ | IsoCode | DE | +-----------------+-------------------------------------------------------+ | SourceRange | 80.187.XXX.X/22 | +-----------------+-------------------------------------------------------+ | datasource_path | mailcowdockerized-nginx-mailcow-1 | +-----------------+-------------------------------------------------------+ | datasource_type | docker | +-----------------+-------------------------------------------------------+ | http_args_len | 0 | +-----------------+-------------------------------------------------------+ | http_path | /SOGo/so/passwordRecoveryEnabled | +-----------------+-------------------------------------------------------+ | http_status | 403 | +-----------------+-------------------------------------------------------+ | http_user_agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) | | | AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 | | | Safari/605.1.15 | +-----------------+-------------------------------------------------------+ | http_verb | POST | +-----------------+-------------------------------------------------------+ | log_type | http_access-log | +-----------------+-------------------------------------------------------+ | service | http | +-----------------+-------------------------------------------------------+ | source_ip | 80.187.XXX.XXX | +-----------------+-------------------------------------------------------+ | timestamp | 2023-03-19T18:49:10+01:00 | +-----------------+-------------------------------------------------------+
Date: 2023-03-19 17:49:10 +0000 UTC +---------------------+--------------------------------------+ | Key | Value | +---------------------+--------------------------------------+ | ASNNumber | 3320 | +---------------------+--------------------------------------+ | ASNOrg | Deutsche Telekom AG | +---------------------+--------------------------------------+ | IsInEU | true | +---------------------+--------------------------------------+ | IsoCode | DE | +---------------------+--------------------------------------+ | SourceRange | 80.187.XXX.XXX/22 | +---------------------+--------------------------------------+ | datasource_path | /var/log/crowdsec/traefik/access.log | +---------------------+--------------------------------------+ | datasource_type | file | +---------------------+--------------------------------------+ | http_args_len | 0 | +---------------------+--------------------------------------+ | http_path | /SOGo/so/passwordRecoveryEnabled | +---------------------+--------------------------------------+ | http_status | 403 | +---------------------+--------------------------------------+ | http_verb | POST | +---------------------+--------------------------------------+ | log_type | http_access-log | +---------------------+--------------------------------------+ | service | http | +---------------------+--------------------------------------+ | source_ip | 80.187.XXX.XXX | +---------------------+--------------------------------------+ | timestamp | 2023-03-19T17:49:10Z | +---------------------+--------------------------------------+ | traefik_router_name | nginx-mailcow-secure@docker | +---------------------+--------------------------------------+ | user | - | +---------------------+--------------------------------------+
Date: 2023-03-19 17:49:10 +0000 UTC +---------------------+--------------------------------------+ | Key | Value | +---------------------+--------------------------------------+ | ASNNumber | 3320 | +---------------------+--------------------------------------+ | ASNOrg | Deutsche Telekom AG | +---------------------+--------------------------------------+ | IsInEU | true | +---------------------+--------------------------------------+ | IsoCode | DE | +---------------------+--------------------------------------+ | SourceRange | 80.187.XXX.XXX/22 | +---------------------+--------------------------------------+ | datasource_path | /var/log/crowdsec/traefik/access.log | +---------------------+--------------------------------------+ | datasource_type | file | +---------------------+--------------------------------------+ | http_args_len | 0 | +---------------------+--------------------------------------+ | http_path | /SOGo/so/passwordRecoveryEnabled | +---------------------+--------------------------------------+ | http_status | 403 | +---------------------+--------------------------------------+ | http_verb | POST | +---------------------+--------------------------------------+ | log_type | http_access-log | +---------------------+--------------------------------------+ | service | http | +---------------------+--------------------------------------+ | source_ip | 80.187.XXX.XXX | +---------------------+--------------------------------------+ | timestamp | 2023-03-19T17:49:10Z | +---------------------+--------------------------------------+ | traefik_router_name | nginx-mailcow-secure@docker | +---------------------+--------------------------------------+ | user | - | +---------------------+--------------------------------------+
Date: 2023-03-19 18:49:12 +0100 +0100 +-----------------+-------------------------------------------------------+ | Key | Value | +-----------------+-------------------------------------------------------+ | ASNNumber | 3320 | +-----------------+-------------------------------------------------------+ | ASNOrg | Deutsche Telekom AG | +-----------------+-------------------------------------------------------+ | IsInEU | true | +-----------------+-------------------------------------------------------+ | IsoCode | DE | +-----------------+-------------------------------------------------------+ | SourceRange | 80.187.XXX.X/22 | +-----------------+-------------------------------------------------------+ | datasource_path | mailcowdockerized-nginx-mailcow-1 | +-----------------+-------------------------------------------------------+ | datasource_type | docker | +-----------------+-------------------------------------------------------+ | http_args_len | 0 | +-----------------+-------------------------------------------------------+ | http_path | /SOGo/so/passwordRecoveryEnabled | +-----------------+-------------------------------------------------------+ | http_status | 403 | +-----------------+-------------------------------------------------------+ | http_user_agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) | | | AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 | | | Safari/605.1.15 | +-----------------+-------------------------------------------------------+ | http_verb | POST | +-----------------+-------------------------------------------------------+ | log_type | http_access-log | +-----------------+-------------------------------------------------------+ | service | http | +-----------------+-------------------------------------------------------+ | source_ip | 80.187.114.XXX | +-----------------+-------------------------------------------------------+ | timestamp | 2023-03-19T18:49:12+01:00 | +-----------------+-------------------------------------------------------+
Date: 2023-03-19 17:49:12 +0000 UTC +---------------------+--------------------------------------+ | Key | Value | +---------------------+--------------------------------------+ | ASNNumber | 3320 | +---------------------+--------------------------------------+ | ASNOrg | Deutsche Telekom AG | +---------------------+--------------------------------------+ | IsInEU | true | +---------------------+--------------------------------------+ | IsoCode | DE | +---------------------+--------------------------------------+ | SourceRange | 80.187.XXX.XXX/22 | +---------------------+--------------------------------------+ | datasource_path | /var/log/crowdsec/traefik/access.log | +---------------------+--------------------------------------+ | datasource_type | file | +---------------------+--------------------------------------+ | http_args_len | 0 | +---------------------+--------------------------------------+ | http_path | /SOGo/so/passwordRecoveryEnabled | +---------------------+--------------------------------------+ | http_status | 403 | +---------------------+--------------------------------------+ | http_verb | POST | +---------------------+--------------------------------------+ | log_type | http_access-log | +---------------------+--------------------------------------+ | service | http | +---------------------+--------------------------------------+ | source_ip | 80.187.XXX.XXX | +---------------------+--------------------------------------+ | timestamp | 2023-03-19T17:49:12Z | +---------------------+--------------------------------------+ | traefik_router_name | nginx-mailcow-secure@docker | +---------------------+--------------------------------------+ | user | - | +---------------------+--------------------------------------+`