From 0141a7500f30c9f5c178a4e66a4a4fd9d4f018d0 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 10 Feb 2023 11:10:14 +0100 Subject: [PATCH 1/8] Fix the regexps --- docs/faq.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/faq.rst b/docs/faq.rst index c73304b0..684cde68 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -566,7 +566,7 @@ follow these steps: # Fail2Ban configuration file [Definition] - failregex = .* client login failed: .+ client:\ + failregex = ^\[info\] \d+#\d+: \*\d+ client login failed: "[\"]+" while in http auth state, client: , server: ignoreregex = journalmatch = CONTAINER_TAG=mailu-front @@ -600,7 +600,7 @@ The above will block flagged IPs for a week, you can of course change it to your # Fail2Ban configuration file [Definition] - failregex = .* Login failed for .+ from . + failregex = : Login failed for .*? from \.$ ignoreregex = journalmatch = CONTAINER_TAG=mailu-admin @@ -625,7 +625,7 @@ The above will block flagged IPs for a week, you can of course change it to your # Fail2Ban configuration file [Definition] - failregex = .* Invalid API token provided by . + failregex = Invalid API token provided by \.$ ignoreregex = journalmatch = CONTAINER_TAG=mailu-admin From 6191d3b59e58e837cf615a210913fa0119a6df40 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 10 Feb 2023 11:52:08 +0100 Subject: [PATCH 2/8] Simplify --- docs/faq.rst | 112 +++++++++++++++++++-------------------------------- 1 file changed, 41 insertions(+), 71 deletions(-) diff --git a/docs/faq.rst b/docs/faq.rst index 684cde68..d7b5b5f4 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -560,32 +560,55 @@ follow these steps: options: tag: mailu-front -2. Add the /etc/fail2ban/filter.d/bad-auth.conf +2. Add the /etc/fail2ban/filter.d/bad-auth-bots.conf .. code-block:: bash # Fail2Ban configuration file [Definition] - failregex = ^\[info\] \d+#\d+: \*\d+ client login failed: "[\"]+" while in http auth state, client: , server: + failregex = ^\[info\] \d+#\d+: \*\d+ client login failed: "AUTH not supported" while in http auth state, client: , server: ignoreregex = journalmatch = CONTAINER_TAG=mailu-front -3. Add the /etc/fail2ban/jail.d/bad-auth.conf +3. Add the /etc/fail2ban/jail.d/bad-auth-bots.conf .. code-block:: bash - [bad-auth] + [bad-auth-bots] enabled = true backend = systemd - filter = bad-auth + filter = bad-auth-bots bantime = 604800 - findtime = 300 - maxretry = 10 - action = docker-action + findtime = 600 + maxretry = 5 + action = docker-action-net The above will block flagged IPs for a week, you can of course change it to your needs. -4. In the mailu docker-compose set the logging driver of the Admin container to journald; and set the tag to mailu-admin +5. Add the following to /etc/fail2ban/action.d/docker-action-net.conf + +IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system. + +See ipset homepage for details on ipset, https://ipset.netfilter.org/. + +.. code-block:: bash + + [Definition] + + actionstart = ipset --create f2b-bad-auth-bots nethash + iptables -I DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP + + actionstop = iptables -D DOCKER-USER -m set --match-set f2b-bad-auth-bots src -p tcp -m tcp --dport 25 -j DROP + ipset --destroy f2b-bad-auth-bots + + + actionban = ipset add -exist f2b-bad-auth-bots /24 + + actionunban = ipset del -exist f2b-bad-auth-bots /24 + +Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/ + +6. In the mailu docker-compose set the logging driver of the Admin container to journald; and set the tag to mailu-admin .. code-block:: bash @@ -594,90 +617,37 @@ The above will block flagged IPs for a week, you can of course change it to your options: tag: mailu-admin -5. Add the /etc/fail2ban/filter.d/bad-auth-sso.conf +7. Add the /etc/fail2ban/filter.d/bad-auth.conf .. code-block:: bash # Fail2Ban configuration file [Definition] - failregex = : Login failed for .*? from \.$ + failregex = : Authentication attempt from has been rate-limited\.$ ignoreregex = journalmatch = CONTAINER_TAG=mailu-admin -6. Add the /etc/fail2ban/jail.d/bad-auth-sso.conf +6. Add the /etc/fail2ban/jail.d/bad-auth.conf .. code-block:: bash - [bad-auth-sso] + [bad-auth] enabled = true backend = systemd - filter = bad-auth-sso + filter = bad-auth bantime = 604800 - findtime = 300 - maxretry = 10 + findtime = 900 + maxretry = 15 action = docker-action The above will block flagged IPs for a week, you can of course change it to your needs. -7. Add the /etc/fail2ban/filter.d/bad-auth-api.conf +7. Add the following to /etc/fail2ban/action.d/docker-action.conf -.. code-block:: bash - - # Fail2Ban configuration file - [Definition] - failregex = Invalid API token provided by \.$ - ignoreregex = - journalmatch = CONTAINER_TAG=mailu-admin - -8. Add the /etc/fail2ban/jail.d/bad-auth-api.conf - -.. code-block:: bash - - [bad-auth-api] - enabled = true - backend = systemd - filter = bad-auth-api - bantime = 604800 - findtime = 300 - maxretry = 10 - action = docker-action - -The above will block flagged IPs for a week, you can of course change it to your needs. - -9. Add the /etc/fail2ban/action.d/docker-action.conf - -Option 1: Use plain iptables - -.. code-block:: bash - - [Definition] - - actionstart = iptables -N f2b-bad-auth - iptables -A f2b-bad-auth -j RETURN - iptables -I DOCKER-USER -j f2b-bad-auth - - actionstop = iptables -D DOCKER-USER -j f2b-bad-auth - iptables -F f2b-bad-auth - iptables -X f2b-bad-auth - - actioncheck = iptables -n -L DOCKER-USER | grep -q 'f2b-bad-auth[ \t]' - - actionban = iptables -I f2b-bad-auth 1 -s -j DROP - - actionunban = iptables -D f2b-bad-auth -s -j DROP - -Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/ - -Option 2: Use ipset together with iptables IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system. See ipset homepage for details on ipset, https://ipset.netfilter.org/. -ipset and iptables provide one big advantage over just using iptables: This setup reduces the overall iptable rules. -There is just one rule for the bad authentications and the IPs are within the ipset. -Specially in larger setups with a high amount of brute force attacks this comes in handy. -Using iptables with ipset might reduce the system load in such attacks significantly. - .. code-block:: bash [Definition] @@ -695,7 +665,7 @@ Using iptables with ipset might reduce the system load in such attacks significa Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/ -10. Configure and restart the Fail2Ban service +8. Configure and restart the Fail2Ban service Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration. From c55a06f85d36072028c190a09a35278a0a3b41f0 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 10 Feb 2023 11:52:59 +0100 Subject: [PATCH 3/8] towncrier --- towncrier/newsfragments/2660.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 towncrier/newsfragments/2660.misc diff --git a/towncrier/newsfragments/2660.misc b/towncrier/newsfragments/2660.misc new file mode 100644 index 00000000..80905f3d --- /dev/null +++ b/towncrier/newsfragments/2660.misc @@ -0,0 +1 @@ +Change the instructions on how to setup fail2ban From b623e1f28652e8fa84211ae54d1bce4c692247bc Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 10 Feb 2023 12:09:25 +0100 Subject: [PATCH 4/8] The date matcher seems to fail sometimes --- docs/faq.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index d7b5b5f4..b28d5615 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -566,7 +566,7 @@ follow these steps: # Fail2Ban configuration file [Definition] - failregex = ^\[info\] \d+#\d+: \*\d+ client login failed: "AUTH not supported" while in http auth state, client: , server: + failregex = ^.*?\[info\] \d+#\d+: \*\d+ client login failed: "AUTH not supported" while in http auth state, client: , server: ignoreregex = journalmatch = CONTAINER_TAG=mailu-front From 65288d7291cf5e5dfe2cf8f2edc55a2aae7f90eb Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Fri, 10 Feb 2023 14:30:48 +0100 Subject: [PATCH 5/8] Escape this just in case --- docs/faq.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index b28d5615..a92c060c 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -566,7 +566,7 @@ follow these steps: # Fail2Ban configuration file [Definition] - failregex = ^.*?\[info\] \d+#\d+: \*\d+ client login failed: "AUTH not supported" while in http auth state, client: , server: + failregex = ^.*?\[info\] \d+#\d+: \*\d+ client login failed: \"AUTH not supported\" while in http auth state, client: , server: ignoreregex = journalmatch = CONTAINER_TAG=mailu-front From a973fffa9e715045bdf7e966bf0fdc4b4a2093b4 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 11 Mar 2023 11:38:18 +0100 Subject: [PATCH 6/8] fixes suggested by diman0 --- docs/faq.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/faq.rst b/docs/faq.rst index a92c060c..b7a88564 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -538,14 +538,14 @@ down brute force attacks. The same applies to login attempts via the single sign We *do* provide a possibility to export the logs from the ``front`` service and ``Admin`` service to the host. The ``front`` container logs failed logon attempts on SMTP, IMAP and POP3. -The ``Admin``container logs failed logon attempt on the single sign on page. +The ``Admin`` container logs failed logon attempt on the single sign on page. For this you need to set ``LOG_DRIVER=journald`` or ``syslog``, depending on the log manager of the host. You will need to setup the proper Regex in the Fail2Ban configuration. Below an example how to do so. If you use a reverse proxy in front of Mailu, it is vital to set the environment variables REAL_IP_HEADER and REAL_IP_FROM. Without these environment variables, Mailu will not trust the remote client IP passed on by the reverse proxy and as a result your reverse proxy will be banned. -See the :ref:`[configuration reference ` for more information. +See the :ref:`configuration reference ` for more information. Assuming you have a working Fail2Ban installation on the host running your Docker containers, From 331bda38223b0f3d07bc306cb1228fe4d9d16476 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 12 Mar 2023 12:06:27 +0100 Subject: [PATCH 7/8] the space may or may not exist --- docs/faq.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index 61893e31..ace068a4 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -566,7 +566,7 @@ follow these steps: # Fail2Ban configuration file [Definition] - failregex = ^ \S+ mailu\-front\[\d+\]: \S+ \S+ \[info\] \d+#\d+: \*\d+ client login failed: \"AUTH not supported\" while in http auth state, client: , server: + failregex = ^\s?\S+ mailu\-front\[\d+\]: \S+ \S+ \[info\] \d+#\d+: \*\d+ client login failed: \"AUTH not supported\" while in http auth state, client: , server: ignoreregex = journalmatch = CONTAINER_TAG=mailu-front From d9527e561e5d02cda2501313284553c7e6ef26d2 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sun, 12 Mar 2023 12:39:27 +0100 Subject: [PATCH 8/8] Renumber and clarify --- docs/faq.rst | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/docs/faq.rst b/docs/faq.rst index ace068a4..e5d57cef 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -585,7 +585,7 @@ follow these steps: The above will block flagged IPs for a week, you can of course change it to your needs. -4. In the mailu docker compose set the logging driver of the Admin container to journald; and set the tag to mailu-admin +4. Add the following to /etc/fail2ban/action.d/docker-action-net.conf IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system. @@ -606,9 +606,11 @@ See ipset homepage for details on ipset, https://ipset.netfilter.org/. actionunban = ipset del -exist f2b-bad-auth-bots /24 -Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/ +Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/. -6. In the mailu docker-compose set the logging driver of the Admin container to journald; and set the tag to mailu-admin +Please note that the provided example will block the subnet from sending any email to the Mailu instance. + +5. In the mailu docker-compose set the logging driver of the Admin container to journald; and set the tag to mailu-admin .. code-block:: bash @@ -617,7 +619,7 @@ Using DOCKER-USER chain ensures that the blocked IPs are processed in the correc options: tag: mailu-admin -7. Add the /etc/fail2ban/filter.d/bad-auth.conf +6. Add the /etc/fail2ban/filter.d/bad-auth.conf .. code-block:: bash @@ -627,7 +629,7 @@ Using DOCKER-USER chain ensures that the blocked IPs are processed in the correc ignoreregex = journalmatch = CONTAINER_TAG=mailu-admin -6. Add the /etc/fail2ban/jail.d/bad-auth.conf +7. Add the /etc/fail2ban/jail.d/bad-auth.conf .. code-block:: bash @@ -642,11 +644,7 @@ Using DOCKER-USER chain ensures that the blocked IPs are processed in the correc The above will block flagged IPs for a week, you can of course change it to your needs. -7. Add the following to /etc/fail2ban/action.d/docker-action.conf - -IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system. - -See ipset homepage for details on ipset, https://ipset.netfilter.org/. +8. Add the following to /etc/fail2ban/action.d/docker-action.conf .. code-block:: bash @@ -665,7 +663,7 @@ See ipset homepage for details on ipset, https://ipset.netfilter.org/. Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/ -8. Configure and restart the Fail2Ban service +9. Configure and restart the Fail2Ban service Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration.