Fail2Ban

elliot46 · May 01, 2023, 11:36:14 AM

Hi to all,
from a safety perspective, I would like to implement the "Fail2Ban" feature or do you have any other idea to curb the DDOS attack in Roundcube webmail?

Thank you

Dmitry42 · May 02, 2023, 02:32:09 PM

I use fail2ban )

elliot46 · May 03, 2023, 02:16:25 PM

have you an example to config ?

Dmitry42 · May 03, 2023, 09:37:31 PM

What exactly config file you mean under config ?
fail2ban have many config files - settings, filters ...

You can use any internet tutorial for setup blocking rules.

/etc/fail2ban/jail.d/services.conf

Quote
[nginx-botsearch]
enabled = true
#port = http,https
filter = nginx-botsearch
action = iptables-multiport[name=nginx-botsearch, port="80,443,25,465,587,110,995,143,993", protocol=tcp]
logpath = /var/log/nginx/error.log
maxretry = 5
findtime = 1m

#[nginx-ddos]
#enabled = true
#port = http,https
#filter = nginx-limit-req
#action = iptables-multiport[name=nginxddos, port="http,https", protocol=tcp]
#logpath = /var/log/nginx/error.log

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port="80,443,25,465,587,110,995,143,993", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 15
findtime = 5m
bantime = 30d

[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="80,443,25,465,587,110,995,143,993", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 15
findtime = 5m
bantime = 30d

I not use [nginx-ddos] section - for my it have false positive reaction and block too much addresses. And this section need additional nginx configuration

elliot46 · May 04, 2023, 04:15:33 AM

ok, thanks !

elliot46 · May 15, 2023, 05:35:58 AM

I looked for many tutorial, and i am doing this step:

install service
in /etc/fail2ban copy jail.conf to jail.local
edit jail.local
in "roundcube-auth" session add:
enabled = true
maxretry = 2
bantime = 3600
logpath = /var/log/mail.log

i try wrong login to Roundcube Webmail, but i received always "login failed", never other message.

with "sudo fail2ban-client status roundcube-auth" command, i am not viewing error...

Where am I doing wrong?

thanks

Dmitry42 · May 15, 2023, 11:27:08 AM

It's because Roundcube not write errors to log file. You can see olny imap or smtp errors - but with your local Roundcube server IP.

For example my wrong attempt:

QuoteMay 15 18:06:37 mail dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<Dmitry42@******.ru>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<g7QFzbz7vMd/AAAB>

Fail2ban can find this errors but - it will ban your "rip=127.0.0.1" - its your local server IP. you ban himself.

So if you want block users who use roundcube web interface - you must find way to write wrong attempts from Roundcube php script to mail.log.
I google it and find some like this: https://mattrude.com/projects/roundcube-fail2ban-plugin/

https://www.roundcubeforum.net/index.php/topic,5002.15.html

but not sure that its work now on modern RC.

Dmitry42 · May 15, 2023, 11:36:17 AM

after I find:

https://community.nethserver.org/t/fail2ban-and-webmail-roundcube/10831

https://www.computersolutions.cn/blog/2014/06/roundcube-login-attack-prevention-with-fail2ban/

https://grinux.wordpress.com/2012/09/04/make-fail2ban-monitor-roundcube-authentication-access/

as I can see fail2ban can work with roundcube logs, so you can enable it and use for blocking.

elliot46 · May 16, 2023, 01:57:09 AM

Thanks.

I try to understand and set what you wrote to me.

Dmitry42 · May 16, 2023, 11:58:10 AM

I try another words)

By default Roundcube not write logs to system logs - because Roundcube not system service -its application written and working on php script. For your mail server (IMAP and SMTP daemons) Roundcube its just mail client - like your iPhone mail app, or outlook, or another mail client. If you install another mail client on your server (for example outlook, thunderbird or another) - it will be the same as roundcube installation.
So its the reason why your system log contain only IMAP or SMTP messages, and not contain messages from any mail clients (roundcube in our case).

BUT

1. You can use plugin for RC who can write RC messages to system logs (not sure that its good idea - plugin too old)
2. You can analyse Rouncube logs with fail2ban - as you use fail2ban for analyse system mail.log. About this you can read in link in my previous post.