main
Florent Daigniere 2 years ago
parent 0141a7500f
commit 6191d3b59e

@ -560,32 +560,55 @@ follow these steps:
options: options:
tag: mailu-front tag: mailu-front
2. Add the /etc/fail2ban/filter.d/bad-auth.conf 2. Add the /etc/fail2ban/filter.d/bad-auth-bots.conf
.. code-block:: bash .. code-block:: bash
# Fail2Ban configuration file # Fail2Ban configuration file
[Definition] [Definition]
failregex = ^\[info\] \d+#\d+: \*\d+ client login failed: "[\"]+" while in http auth state, client: <HOST>, server: failregex = ^\[info\] \d+#\d+: \*\d+ client login failed: "AUTH not supported" while in http auth state, client: <HOST>, server:
ignoreregex = ignoreregex =
journalmatch = CONTAINER_TAG=mailu-front journalmatch = CONTAINER_TAG=mailu-front
3. Add the /etc/fail2ban/jail.d/bad-auth.conf 3. Add the /etc/fail2ban/jail.d/bad-auth-bots.conf
.. code-block:: bash .. code-block:: bash
[bad-auth] [bad-auth-bots]
enabled = true enabled = true
backend = systemd backend = systemd
filter = bad-auth filter = bad-auth-bots
bantime = 604800 bantime = 604800
findtime = 300 findtime = 600
maxretry = 10 maxretry = 5
action = docker-action action = docker-action-net
The above will block flagged IPs for a week, you can of course change it to your needs. The above will block flagged IPs for a week, you can of course change it to your needs.
4. In the mailu docker-compose set the logging driver of the Admin container to journald; and set the tag to mailu-admin 5. Add the following to /etc/fail2ban/action.d/docker-action-net.conf
IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system.
See ipset homepage for details on ipset, https://ipset.netfilter.org/.
.. code-block:: bash
[Definition]
actionstart = ipset --create f2b-bad-auth-bots nethash
iptables -I DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP
actionstop = iptables -D DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP
ipset --destroy f2b-bad-auth-bots
actionban = ipset add -exist f2b-bad-auth-bots <ip>/24
actionunban = ipset del -exist f2b-bad-auth-bots <ip>/24
Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
6. In the mailu docker-compose set the logging driver of the Admin container to journald; and set the tag to mailu-admin
.. code-block:: bash .. code-block:: bash
@ -594,90 +617,37 @@ The above will block flagged IPs for a week, you can of course change it to your
options: options:
tag: mailu-admin tag: mailu-admin
5. Add the /etc/fail2ban/filter.d/bad-auth-sso.conf 7. Add the /etc/fail2ban/filter.d/bad-auth.conf
.. code-block:: bash .. code-block:: bash
# Fail2Ban configuration file # Fail2Ban configuration file
[Definition] [Definition]
failregex = : Login failed for .*? from <HOST>\.$ failregex = : Authentication attempt from <HOST> has been rate-limited\.$
ignoreregex = ignoreregex =
journalmatch = CONTAINER_TAG=mailu-admin journalmatch = CONTAINER_TAG=mailu-admin
6. Add the /etc/fail2ban/jail.d/bad-auth-sso.conf 6. Add the /etc/fail2ban/jail.d/bad-auth.conf
.. code-block:: bash .. code-block:: bash
[bad-auth-sso] [bad-auth]
enabled = true enabled = true
backend = systemd backend = systemd
filter = bad-auth-sso filter = bad-auth
bantime = 604800 bantime = 604800
findtime = 300 findtime = 900
maxretry = 10 maxretry = 15
action = docker-action action = docker-action
The above will block flagged IPs for a week, you can of course change it to your needs. The above will block flagged IPs for a week, you can of course change it to your needs.
7. Add the /etc/fail2ban/filter.d/bad-auth-api.conf 7. Add the following to /etc/fail2ban/action.d/docker-action.conf
.. code-block:: bash
# Fail2Ban configuration file
[Definition]
failregex = Invalid API token provided by <HOST>\.$
ignoreregex =
journalmatch = CONTAINER_TAG=mailu-admin
8. Add the /etc/fail2ban/jail.d/bad-auth-api.conf
.. code-block:: bash
[bad-auth-api]
enabled = true
backend = systemd
filter = bad-auth-api
bantime = 604800
findtime = 300
maxretry = 10
action = docker-action
The above will block flagged IPs for a week, you can of course change it to your needs.
9. Add the /etc/fail2ban/action.d/docker-action.conf
Option 1: Use plain iptables
.. code-block:: bash
[Definition]
actionstart = iptables -N f2b-bad-auth
iptables -A f2b-bad-auth -j RETURN
iptables -I DOCKER-USER -j f2b-bad-auth
actionstop = iptables -D DOCKER-USER -j f2b-bad-auth
iptables -F f2b-bad-auth
iptables -X f2b-bad-auth
actioncheck = iptables -n -L DOCKER-USER | grep -q 'f2b-bad-auth[ \t]'
actionban = iptables -I f2b-bad-auth 1 -s <ip> -j DROP
actionunban = iptables -D f2b-bad-auth -s <ip> -j DROP
Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
Option 2: Use ipset together with iptables
IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system. IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system.
See ipset homepage for details on ipset, https://ipset.netfilter.org/. See ipset homepage for details on ipset, https://ipset.netfilter.org/.
ipset and iptables provide one big advantage over just using iptables: This setup reduces the overall iptable rules.
There is just one rule for the bad authentications and the IPs are within the ipset.
Specially in larger setups with a high amount of brute force attacks this comes in handy.
Using iptables with ipset might reduce the system load in such attacks significantly.
.. code-block:: bash .. code-block:: bash
[Definition] [Definition]
@ -695,7 +665,7 @@ Using iptables with ipset might reduce the system load in such attacks significa
Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/ Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
10. Configure and restart the Fail2Ban service 8. Configure and restart the Fail2Ban service
Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration. Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration.

Loading…
Cancel
Save