1 Topic by Tony_ph74

  • Tony_ph74
  • Member
  • Offline
  • Registered: 2024-10-26
  • Posts: 2

Topic: fail2ban behind pfsense

I'm using iredmail but fail2ban not work properly cause by default get the wrong ip, i mean the firewall ip, so i had to ignore it or ban everyone.
I'm running iredmail into a server in private lan behind pfsense firewall with SSL offload and haproxy so when guest visit mail.myserver.com  to login into roudcube the firewall handle the client ip, offload SSL and redirect in plain HTTP into the internal lan to the VM with iredmail.

I need custom config for the filter in order to grab the right ip.

Here the log entry for roundcube into /var/log/maillog:
Oct 26 10:02:13 mail roundcube: <rf4cvlc1> Failed login for userjohntrytohack from 10.1.0.2 (X-Forwarded-For: 81.47.153.97) in session rf4cvlc1avloqnqc (error: 0):

As you can see the username pop up: userjohntrytohack
the ip of firewall 10.1.0.2 then the real client ip is 81.47.153.97 
immediatly after "Forwarded-For: "

So fail2ban see the firewall ip and try to ban it which is not correct and it's into ignoreip variable.

Here the /etc/fail2ban/filter.d/roundcube-auth.conf:

prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$

failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=u>
            ^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$

I need an expert help me to edit thiese 2 values prefregx and failregex  in order to grab the real ip after the string "Forwarded-For: "

many thanks for your help.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by chris.23lo (edited by chris.23lo 2024-10-27 22:39:04)

  • chris.23lo
  • Member
  • Offline
  • Registered: 2022-06-30
  • Posts: 44

Re: fail2ban behind pfsense

Tony_ph74 wrote:

I'm using iredmail but fail2ban not work properly cause by default get the wrong ip, i mean the firewall ip, so i had to ignore it or ban everyone.
I'm running iredmail into a server in private lan behind pfsense firewall with SSL offload and haproxy so when guest visit mail.myserver.com  to login into roudcube the firewall handle the client ip, offload SSL and redirect in plain HTTP into the internal lan to the VM with iredmail.

I need custom config for the filter in order to grab the right ip.

Here the log entry for roundcube into /var/log/maillog:
Oct 26 10:02:13 mail roundcube: <rf4cvlc1> Failed login for userjohntrytohack from 10.1.0.2 (X-Forwarded-For: 81.47.153.97) in session rf4cvlc1avloqnqc (error: 0):

As you can see the username pop up: userjohntrytohack
the ip of firewall 10.1.0.2 then the real client ip is 81.47.153.97 
immediatly after "Forwarded-For: "

So fail2ban see the firewall ip and try to ban it which is not correct and it's into ignoreip variable.

Here the /etc/fail2ban/filter.d/roundcube-auth.conf:

prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$

failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=u>
            ^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$

I need an expert help me to edit thiese 2 values prefregx and failregex  in order to grab the real ip after the string "Forwarded-For: "

many thanks for your help.


It's really off-topic here because it is unsupported in iredmail under pfsense and haproxy.
In fact, I dont know how you even got there with initial iRedmail setup working if you dont know what you are doing.


i do have a simple pfsense lab config and works in haproxy and webbackend (web service is not roundcube nor sogo web)

Under haproxy in your web service backend
> Advanced settings (+) -- expand it
Transparent IP > Use Client-IP to connect to backend servers, select LAN in the drop down.

And your http log (nginx / apache) will log the client ip in the access log which gives fail2ban the right information to block.

Try in a testing setup first.

Regards

Post's attachments

webvip_backend.png
webvip_backend.png 210.4 kb, 2 downloads since 2024-10-27 

You don't have the permssions to download the attachments of this post.

3 Reply by Tony_ph74

  • Tony_ph74
  • Member
  • Offline
  • Registered: 2024-10-26
  • Posts: 2

Re: fail2ban behind pfsense

Perfect, works like a charm now.
You're very kind, many thanks man!
Please email me in private i wish to thank you with 50 USD to your paypal.
my email is: ufficio@sunsetvillage.club

Have a nice day !


chris.23lo wrote:

i do have a simple pfsense lab config and works in haproxy and webbackend (web service is not roundcube nor sogo web)

Under haproxy in your web service backend
> Advanced settings (+) -- expand it
Transparent IP > Use Client-IP to connect to backend servers, select LAN in the drop down.

And your http log (nginx / apache) will log the client ip in the access log which gives fail2ban the right information to block.

Try in a testing setup first.

Regards