1 (edited by baerengraben 2021-01-30 18:42:54)

Topic: (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2 MARIADB edition.
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-64-generic x86_64)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi

I just did a new installation of iredmail on a new installed Ubuntu 20.04.1 LTS. After finishing installation of iredmail, I noticed that the ireadmail rules for iptables (/etc/default/iptables) are not active at all.

This is what /iRedMail-1.3.2/runtime/install.log says:

[ INFO ] Copy firewall sample rules.
+ < DEBUG > Service control: enable iptables.
Failed to enable unit: Unit file iptables.service does not exist.
+ < DEBUG > Service control: enable ip6tables.
Failed to enable unit: Unit file ip6tables.service does not exist.
[ INFO ] Restarting firewall ...
+ < DEBUG > Service control: restart iptables.
Failed to restart iptables.service: Unit iptables.service not found.
+ < DEBUG > Service control: restart ip6tables.
Failed to restart ip6tables.service: Unit ip6tables.service not found.

So far as I understand is, that Ubuntu is using ufw and has no "service" for iptables (anymore?).

How can I activate the rules for hardening the ireadmail server? Maybe the rules should be installed by ufw?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue

Also having a firewall issue on Ubuntu 20.04.

$ sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  123-123-123-123.abc.example.com  anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Shouldn't there be much more rules here?

3

Re: (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue

Ubuntu 20.04 uses "nftables" (same as Debian 10), not "iptables".

4

Re: (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue

Looks like I don't have nftables installed at all and the server is a fresh Ubuntu 20.04 with only iRedMail installed. Should iRedMail install and configure this automatically?

I used unattended install with AUTO_CLEANUP_REPLACE_FIREWALL_RULES=y and AUTO_CLEANUP_RESTART_FIREWALL=y

5

Re: (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue

Just did a fresh install to test this out without unattended install and got the same errors as @baerengraben:

[ INFO ] Copy firewall sample rules.
 + < DEBUG > Service control: enable iptables.
Failed to enable unit: Unit file iptables.service does not exist.
 + < DEBUG > Service control: enable ip6tables.
Failed to enable unit: Unit file ip6tables.service does not exist.
[ INFO ] Restarting firewall ...
 + < DEBUG > Service control: restart iptables.
Failed to restart iptables.service: Unit iptables.service not found.
 + < DEBUG > Service control: restart ip6tables.
Failed to restart ip6tables.service: Unit ip6tables.service not found.

As mentioned above, nftables isn't installed at all and even the config file /etc/nftables.conf doesn't exist. So looks like there's no firewall applied and this feels like a major security issue.

There's also warnings about mcrypt:

 + < DEBUG > Disable php extension: suhosin. /etc/php/7.4/fpm/php.ini.
WARNING: Module mcrypt ini file doesn't exist under /etc/php/7.4/mods-available
WARNING: Module mcrypt ini file doesn't exist under /etc/php/7.4/mods-available
[ INFO ] Configure mlmmj (mailing list manager).

6 (edited by RikuS 2021-01-29 02:21:23)

Re: (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue

iRedMail 1.3.2 doesn't enable nftables for Ubuntu Focal (20.04). This seems to be fixed in https://github.com/iredmail/iRedMail/co … 34e8355f1c but the fix is not shipped with latest release. In 1.3.2 nftables is used only for Debian Buster.

This is obviously a major issue and can be fixed in Ubuntu with:

# Install nftables
apt-get install nftables

# Get nftables configuration file
wget https://raw.githubusercontent.com/iredmail/iRedMail/master/samples/firewall/nftables.conf

# Move configuration file to /etc/nftables.conf
mv nftables.conf /etc/

# If you use any other port than 22 for ssh, update the port by editing the following line in /etc/nftables.conf file
tcp dport 22 accept

# Start nftables and enable it on boot
systemctl enable nftables --now

Fail2ban actions also needs to be updated in all files within /etc/fail2ban/jail.d folder, as at the time of writing this, the actions are set to iptables instead of nftables in https://github.com/iredmail/iRedMail/bl … f/fail2ban:

# Change action from iptables-multiport to nftables-multiport
action = iptables-multiport[...] => action = nftables-multiport[...]

# Restart fail2ban
systemctl restart fail2ban

And finally remove unused iptables:

apt-get purge iptables

7

Re: (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue

@RikuS:

Thank you very much! I was able to secure my system with your information now. And it works smile

@iRedMail Developers:
Maybe this should be quick resolved, since this is a real "security issue".

8 (edited by RikuS 2021-02-01 00:10:36)

Re: (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue

baerengraben wrote:

Thank you very much! I was able to secure my system with your information now. And it works smile

You're very welcome, I'm glad you got it all set up.

baerengraben wrote:

@iRedMail Developers:
Maybe this should be quick resolved, since this is a real "security issue".

Couldn't agree more, as currently 1.3.2 doesn't set the firewall rules on Ubuntu 20.04 at all.