diff --git a/docs/faq.rst b/docs/faq.rst index 93bc384e..e5d57cef 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -538,14 +538,14 @@ down brute force attacks. The same applies to login attempts via the single sign We *do* provide a possibility to export the logs from the ``front`` service and ``Admin`` service to the host. The ``front`` container logs failed logon attempts on SMTP, IMAP and POP3. -The ``Admin``container logs failed logon attempt on the single sign on page. +The ``Admin`` container logs failed logon attempt on the single sign on page. For this you need to set ``LOG_DRIVER=journald`` or ``syslog``, depending on the log manager of the host. You will need to setup the proper Regex in the Fail2Ban configuration. Below an example how to do so. If you use a reverse proxy in front of Mailu, it is vital to set the environment variables REAL_IP_HEADER and REAL_IP_FROM. Without these environment variables, Mailu will not trust the remote client IP passed on by the reverse proxy and as a result your reverse proxy will be banned. -See the :ref:`[configuration reference ` for more information. +See the :ref:`configuration reference ` for more information. Assuming you have a working Fail2Ban installation on the host running your Docker containers, @@ -560,32 +560,57 @@ follow these steps: options: tag: mailu-front -2. Add the /etc/fail2ban/filter.d/bad-auth.conf +2. Add the /etc/fail2ban/filter.d/bad-auth-bots.conf .. code-block:: bash # Fail2Ban configuration file [Definition] - failregex = .* client login failed: .+ client:\ + failregex = ^\s?\S+ mailu\-front\[\d+\]: \S+ \S+ \[info\] \d+#\d+: \*\d+ client login failed: \"AUTH not supported\" while in http auth state, client: , server: ignoreregex = journalmatch = CONTAINER_TAG=mailu-front -3. Add the /etc/fail2ban/jail.d/bad-auth.conf +3. Add the /etc/fail2ban/jail.d/bad-auth-bots.conf .. code-block:: bash - [bad-auth] + [bad-auth-bots] enabled = true backend = systemd - filter = bad-auth + filter = bad-auth-bots bantime = 604800 - findtime = 300 - maxretry = 10 - action = docker-action + findtime = 600 + maxretry = 5 + action = docker-action-net The above will block flagged IPs for a week, you can of course change it to your needs. -4. In the mailu docker compose set the logging driver of the Admin container to journald; and set the tag to mailu-admin +4. Add the following to /etc/fail2ban/action.d/docker-action-net.conf + +IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system. + +See ipset homepage for details on ipset, https://ipset.netfilter.org/. + +.. code-block:: bash + + [Definition] + + actionstart = ipset --create f2b-bad-auth-bots nethash + iptables -I DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP + + actionstop = iptables -D DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP + ipset --destroy f2b-bad-auth-bots + + + actionban = ipset add -exist f2b-bad-auth-bots /24 + + actionunban = ipset del -exist f2b-bad-auth-bots /24 + +Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/. + +Please note that the provided example will block the subnet from sending any email to the Mailu instance. + +5. In the mailu docker-compose set the logging driver of the Admin container to journald; and set the tag to mailu-admin .. code-block:: bash @@ -594,89 +619,32 @@ The above will block flagged IPs for a week, you can of course change it to your options: tag: mailu-admin -5. Add the /etc/fail2ban/filter.d/bad-auth-sso.conf +6. Add the /etc/fail2ban/filter.d/bad-auth.conf .. code-block:: bash # Fail2Ban configuration file [Definition] - failregex = .* Login failed for .+ from . + failregex = : Authentication attempt from has been rate-limited\.$ ignoreregex = journalmatch = CONTAINER_TAG=mailu-admin -6. Add the /etc/fail2ban/jail.d/bad-auth-sso.conf +7. Add the /etc/fail2ban/jail.d/bad-auth.conf .. code-block:: bash - [bad-auth-sso] + [bad-auth] enabled = true backend = systemd - filter = bad-auth-sso + filter = bad-auth bantime = 604800 - findtime = 300 - maxretry = 10 + findtime = 900 + maxretry = 15 action = docker-action The above will block flagged IPs for a week, you can of course change it to your needs. -7. Add the /etc/fail2ban/filter.d/bad-auth-api.conf - -.. code-block:: bash - - # Fail2Ban configuration file - [Definition] - failregex = .* Invalid API token provided by . - ignoreregex = - journalmatch = CONTAINER_TAG=mailu-admin - -8. Add the /etc/fail2ban/jail.d/bad-auth-api.conf - -.. code-block:: bash - - [bad-auth-api] - enabled = true - backend = systemd - filter = bad-auth-api - bantime = 604800 - findtime = 300 - maxretry = 10 - action = docker-action - -The above will block flagged IPs for a week, you can of course change it to your needs. - -9. Add the /etc/fail2ban/action.d/docker-action.conf - -Option 1: Use plain iptables - -.. code-block:: bash - - [Definition] - - actionstart = iptables -N f2b-bad-auth - iptables -A f2b-bad-auth -j RETURN - iptables -I DOCKER-USER -j f2b-bad-auth - - actionstop = iptables -D DOCKER-USER -j f2b-bad-auth - iptables -F f2b-bad-auth - iptables -X f2b-bad-auth - - actioncheck = iptables -n -L DOCKER-USER | grep -q 'f2b-bad-auth[ \t]' - - actionban = iptables -I f2b-bad-auth 1 -s -j DROP - - actionunban = iptables -D f2b-bad-auth -s -j DROP - -Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/ - -Option 2: Use ipset together with iptables -IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system. - -See ipset homepage for details on ipset, https://ipset.netfilter.org/. - -ipset and iptables provide one big advantage over just using iptables: This setup reduces the overall iptable rules. -There is just one rule for the bad authentications and the IPs are within the ipset. -Specially in larger setups with a high amount of brute force attacks this comes in handy. -Using iptables with ipset might reduce the system load in such attacks significantly. +8. Add the following to /etc/fail2ban/action.d/docker-action.conf .. code-block:: bash @@ -695,7 +663,7 @@ Using iptables with ipset might reduce the system load in such attacks significa Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/ -10. Configure and restart the Fail2Ban service +9. Configure and restart the Fail2Ban service Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration. diff --git a/towncrier/newsfragments/2660.misc b/towncrier/newsfragments/2660.misc new file mode 100644 index 00000000..80905f3d --- /dev/null +++ b/towncrier/newsfragments/2660.misc @@ -0,0 +1 @@ +Change the instructions on how to setup fail2ban