1 Topic by fdj (edited by fdj 2017-05-22 21:35:49)

  • fdj
  • Member
  • Offline
  • Registered: 2017-02-15
  • Posts: 14

Topic: Fail2ban doesn't work properly

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6 MARIADB edition.
- Linux/BSD distribution name and version: CentOS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
====

Hello

I wanted to test my system, and it seems that Fail2ban actually don't work properly. I tried to login several times with wrong login credentials, and Fail2ban doesn't see these failed logins.

Please see the below output of /var/mail/log:

[root@mail frederik]# cat /var/log/maillog
[...]
May 21 14:23:36 mail postfix/anvil[6168]: statistics: max cache size 1 at May 21 20:20:15
May 21 14:23:55 mail roundcube: <33sm0ich> IMAP Error: Login failed for frederik@[mydomain].com from 104.254.90.195(X-Forwarded-For: 145.47.201.135). LOGIN: Authentication failed. in /var/www/roundcubemail-1.2.4/program/lib/Roundcube/rcube_imap.php on line 193 (POST /?_task=login&_action=login)
May 21 14:24:14 mail roundcube: <33sm0ich> IMAP Error: Login failed for frederik@[mydomain].com from 104.254.90.195(X-Forwarded-For: 6.115.0.189). LOGIN: Authentication failed. in /var/www/roundcubemail-1.2.4/program/lib/Roundcube/rcube_imap.php on line 193 (POST /?_task=login&_action=login)
May 21 14:24:42 mail roundcube: <33sm0ich> IMAP Error: Login failed for frederik@[mydomain].com from 104.254.90.195(X-Forwarded-For: 186.210.50.87). LOGIN: Authentication failed. in /var/www/roundcubemail-1.2.4/program/lib/Roundcube/rcube_imap.php on line 193 (POST /?_task=login&_action=login)
May 21 14:25:50 mail roundcube: <o53kfqri> IMAP Error: Login failed for frederik@[mydomain].com from 104.254.90.195. LOGIN: Authentication failed. in /var/www/roundcubemail-1.2.4/program/lib/Roundcube/rcube_imap.php on line 193 (POST /?_task=login&_action=login)
May 21 14:26:04 mail roundcube: <o53kfqri> IMAP Error: Login failed for frederik@[mydomain].com from 104.254.90.195. LOGIN: Authentication failed. in /var/www/roundcubemail-1.2.4/program/lib/Roundcube/rcube_imap.php on line 193 (POST /?_task=login&_action=login)

From above code it seems that the log shows the failed logins, but when I try to look in Fail2ban it doesn't seem to find these failures:

[root@mail frederik]# fail2ban-client status roundcube-iredmail
Status for the jail: roundcube-iredmail
|- Filter
|  |- Currently failed:    0
|  |- Total failed:    0
|  `- File list:    /var/log/maillog
`- Actions
   |- Currently banned:    0
   |- Total banned:    0
   `- Banned IP list:

Any help would be greatly appreciated.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,164

Re: Fail2ban doesn't work properly

Your log is different than a standard iRedMail installation like below:

May 22 05:34:56 mail roundcube: <2dpf56v3> IMAP Error: Login failed for user@domain.com from 47.91.140.173.

Yours:

May 21 14:23:55 mail roundcube: <33sm0ich> IMAP Error: Login failed for frederik@[mydomain].com from 104.254.90.195(X-Forwarded-For: 145.47.201.135). ...

Default filter expects an IP + '.', but got IP + '('. You can fix it by replacing /etc/fail2ban/filter.d/roundcube.iredmail.conf by below one:

[Definition]
failregex = roundcube: (.*) Error: Login failed for (.*) from <HOST>\.
            roundcube: (.*) Error: Login failed for (.*) from <HOST>\(
ignoreregex =

Question: do you have any HAProxy/Nginx running in front of iRedMail as a proxy server?

3 Reply by fdj

  • fdj
  • Member
  • Offline
  • Registered: 2017-02-15
  • Posts: 14

Re: Fail2ban doesn't work properly

Thank you for the answer.

As I have other problems right now with the server, I am not able to test whether it solved the problem, however, I will go back and mark it as solved when I have tested it.

Nevertheless, in regards to your question, I have no HAProxy/Nginx running in front of iRedMail as a proxy server. The only thing I have is a relay server when I send emails, so my emails first goes through that server before getting sent.