Topic: Fail2ban sogo doesn't work
==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====
Fail2ban for SOGo doesn't work.
I can see a lot of attemps for localhost. Localhost (127.0.0.1) is under ignoreip. Is this right?
See my /var/log/sogo/sogo.log file:
Oct 18 08:39:40 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Oct 18 08:39:40 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.035 - - 2M
Oct 18 08:39:43 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Oct 18 08:39:43 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.008 - - 0
Oct 18 08:39:46 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Oct 18 08:39:46 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.009 - - 0
Oct 18 08:39:48 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Oct 18 08:39:48 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.007 - - 0
Oct 18 08:39:49 sogod [13814]: <0x0x7fc693b77420[SOGoActiveSyncDispatcher]> Sleeping 30 seconds while detecting changes in Ping...
Oct 18 08:39:50 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Oct 18 08:39:50 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.007 - - 0
Oct 18 08:39:54 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Oct 18 08:39:54 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.010 - - 0
Oct 18 08:39:55 sogod [13818]: SOGoRootPage Login from 'localhost' for user 'asdasd' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Oct 18 08:39:55 sogod [13818]: localhost "POST /SOGo/connect HTTP/1.0" 403 34/59 0.009 - - 0
my /etc/fail2ban/jail.local file
[DEFAULT]
# time is in seconds. 3600 = 1 hour, 86400 = 24 hours (1 day)
findtime = 3600
bantime = 86400
maxretry = 5
ignoreip = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 46.101.59.197
[sshd]
enabled = true
filter = sshd
action = iptables-multiport[name=sshd, port="2828", protocol=tcp]
logpath = /var/log/auth.log
[sshd-ddos]
enabled = true
filter = sshd-ddos
action = iptables-multiport[name=sshd-ddos, port="2828", protocol=tcp]
logpath = /var/log/auth.log
[roundcube-iredmail]
enabled = true
filter = roundcube.iredmail
action = iptables-multiport[name=roundcube, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/mail.log
findtime = 3600
[dovecot-iredmail]
enabled = true
filter = dovecot.iredmail
action = iptables-multiport[name=dovecot, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/dovecot.log
[postfix-iredmail]
enabled = true
filter = postfix.iredmail
action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
# sendmail[name=Postfix, dest=root, sender=fail2ban@localhost]
logpath = /var/log/mail.log
[sogo-iredmail]
enabled = true
filter = sogo-auth
action = iptables-multiport[name=sogo, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/sogo/sogo.log
my filter file on /etc/fail2ban/filter.d/sogo-auth.conf:
[Definition]
failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$
ignoreregex =
The output of fail2ban-regex:
fail2ban-regex /var/log/sogo/sogo.log /etc/fail2ban/filter.d/sogo-auth.conf
Use failregex file : /etc/fail2ban/filter.d/sogo-auth.conf
Use log file : /var/log/sogo/sogo.log
Results
=======
Failregex: 16 total
|- #) [# of hits] regular expression
| 1) [16] ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [198] MONTH Day Hour:Minute:Second
`-
Lines: 198 lines, 0 ignored, 8 matched, 190 missed
Missed line(s): too many to print. Use --print-all-missed to print all 190 lines
Have you any ideas?
wynni
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.