Merge #1269

1269: Add Fail2Ban section r=hoellen a=iohenkies ## What type of PR? documentation ## What does this PR do? This PR adds documentation to setup Fail2Ban to secure Mailu. ### Related issue(s) - closes #1263 ## Prerequistes Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/guide.html#changelog) entry file. edit [@hoellen]: Give information about the PR and link issue. Co-authored-by: iohenkies <33115951+iohenkies@users.noreply.github.com>
4 years ago · 0bc10b7bc5
parent 9db709515a ae6f82984d
commit 0bc10b7bc5
1 changed files with 62 additions and 2 deletions
--- a/docs/faq.rst
+++ b/docs/faq.rst
@ -443,8 +443,68 @@ down brute force attacks.
 We *do* provide a possibility to export the logs from the ``front`` service to the host.
 For this you need to set ``LOG_DRIVER=journald`` or ``syslog``, depending on the log
 manager of the host. You will need to setup the proper Regex in the Fail2Ban configuration.
-Be aware that webmail authentication appears to come from the Docker network,
-so don't ban those addresses!
+Below an example how to do so. Be aware that webmail authentication appears to come from the
+Docker network, so don't ban those addresses!
+
+Assuming you have a working Fail2Ban installation on the host running your Docker containers,
+follow these steps:
+
+1. In the mailu docker-compose set the logging driver of the front container to journald
+
+.. code-block:: bash
+
+  logging:
+    driver: journald
+
+2. Add the /etc/fail2ban/jail.d/bad-auth.conf
+
+.. code-block:: bash
+
+  # Fail2Ban configuration file
+  [Definition]
+  failregex = .* client login failed: .+ client:\ <HOST>
+  ignoreregex =
+
+3. Add the /etc/fail2ban/jail.d/bad-auth.conf
+
+.. code-block:: bash
+
+  [bad-auth]
+  enabled = true
+  filter = bad-auth
+  logpath = /var/log/messages
+  bantime = 604800
+  findtime = 300
+  maxretry = 10
+  action = docker-action
+
+The above will block flagged IPs for a week, you can of course change it to you needs.
+
+4. Add the /etc/fail2ban/action.d/docker-action.conf
+
+.. code-block:: bash
+
+  [Definition]
+  
+  actionstart = iptables -N f2b-bad-auth
+                iptables -A f2b-bad-auth -j RETURN
+                iptables -I FORWARD -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
+  
+  actionstop = iptables -D FORWARD -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
+               iptables -F f2b-bad-auth
+               iptables -X f2b-bad-auth
+  
+  actioncheck = iptables -n -L FORWARD | grep -q 'f2b-bad-auth[ \t]'
+  
+  actionban = iptables -I f2b-bad-auth 1 -s <ip> -j DROP
+  
+  actionunban = iptables -D f2b-bad-auth -s <ip> -j DROP
+
+5. Restart Fail2Ban
+
+.. code-block:: bash
+
+  sudo systemctl restart fail2ban

 *Issue reference:* `85`_, `116`_, `171`_, `584`_, `592`_.