1 Topic by brewer7

  • brewer7
  • Member
  • Offline
  • Registered: 2022-11-03
  • Posts: 2

Topic: Fail2Ban does not create firewall rules for Roundcube

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.2 MARIADB edition
- Deployed with downloadable installer
- Linux/BSD distribution name and version: Ubuntu 22.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,
I've faced the issue with Fail2ban does not create firewall rules for Roundcube
It works fien with ssh blocks, thow.
i've tried with default nftables and ufw

here is the result for nftables:

jail.local:

[DEFAULT]
# time is in seconds. 3600 = 1 hour, 86400 = 24 hours (1 day)
findtime    = 3600
bantime     = 3600
maxretry    = 5
ignoreip    = 127.0.0.1 78.107.248.18  127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

jail.d/roundcube.local

[roundcube]
backend     = polling
journalmatch=
enabled     = true
findtime    = 3600
filter      = roundcube.iredmail
logpath     = /var/log/mail.log
action = nftables-multiport[name=roundcube, port="80,443,25,587,465,110,995,143,993,4190", protocol=tcp]
         banned_db[name=roundcube, port="80,443,25,587,465,110,995,143,993,4190", protocol=tcp]

With config f2b detects failure attempts, and execute the action but no FW rules are actully added. For testing purpuses i'm entering wrong pass on Webmail page

#fail2ban-client status roundcube

Status for the jail: roundcube
|- Filter
|  |- Currently failed: 2
|  |- Total failed:     155
|  `- File list:        /var/log/mail.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     10
   `- Banned IP list:   212.xx.xx.xx

SSH filter works in the mean time
# nft list ruleset

table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
                iif "lo" accept
                ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
                ip6 nexthdr ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
                ct state established,related accept
                ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
                ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
                ip protocol igmp accept
                tcp dport 22 accept
                tcp dport 80 accept
                tcp dport 443 accept
                tcp dport 25 accept
                tcp dport 587 accept
                tcp dport 465 accept
                tcp dport 110 accept
                tcp dport 995 accept
                tcp dport 143 accept
                tcp dport 993 accept
                counter packets 1159 bytes 54966 drop
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
        }
}
table ip filter {
}
table inet f2b-table {
        set addr-set-sshd {
                type ipv4_addr
                elements = { 27.150.190.96, 103.172.120.13,
                             149.202.74.37, 179.60.147.101 }
        }

        chain f2b-chain {
                type filter hook input priority filter - 1; policy accept;
                tcp dport 22 ip saddr @addr-set-sshd reject with icmp port-unreachable
        }
}

UFW config

jail.local is the same as above

jail.d/roundcube.local

[roundcube]
backend     = polling
journalmatch=
enabled     = true
findtime    = 3600
filter      = roundcube.iredmail
logpath     = /var/log/mail.log
banaction   = ufw
port = 80,443,25,587,465,110,995,143,993,4190

ufw status

Status: active

To                         Action      From
--                         ------      ----
Anywhere                   REJECT      212.xxx.xxx.xxx
OpenSSH                    DENY        141.94.110.90
OpenSSH                    DENY        122.195.71.170
22/tcp                     ALLOW       Anywhere
Postfix                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
Postfix Submission         ALLOW       Anywhere
Postfix SMTPS              ALLOW       Anywhere

the result is: upper line is added: Anywhere    REJECT      212.xxx.xxx.xxx

1st issue here is that before current session is finished ufw does not block inboud connection. Meanes i can keep accessing Webmail page(endlessly enterring wrong pass) untill i stop and session is terminated by timeout.

2nd issue - source is Anywhere but not particular port

What can i do to fix this?
I'd prefere to stay with UFW if possible, but if the sullution works only with nftables i'll survive with that too.

Thanks in davance for you help

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: Fail2Ban does not create firewall rules for Roundcube

Any related error in /var/log/syslog or /var/log/fail2ban.log when the ban was triggered?

3 Reply by brewer7 (edited by brewer7 2022-11-04 17:08:01)

  • brewer7
  • Member
  • Offline
  • Registered: 2022-11-03
  • Posts: 2

Re: Fail2Ban does not create firewall rules for Roundcube

Nothig special...

fail2ban.log

Nov  4 08:42:59 mail fail2ban.jail[43837]: DEBUG Starting jail 'roundcube'
Nov  4 08:42:59 mail fail2ban.filterpoll[43837]: DEBUG /var/log/mail.log has been modified
Nov  4 08:42:59 mail fail2ban.filter[43837]: DEBUG Seek to find time 1667547779.9450655 (2022-11-04 11:42:59), file size 101
8116

..................


Nov  4 08:46:37 mail fail2ban.filter[43837]: DEBUG Processing line with time:1667551597.2712963 and ip:212.xxx.xxx.xxx
Nov  4 08:46:37 mail fail2ban.filter[43837]: INFO [roundcube] Found 212.xxx.xxx.xxx - 2022-11-04 12:46:37
Nov  4 08:46:37 mail fail2ban.failmanager[43837]: DEBUG Total # of detected failures: 5. Current failures from 1 IPs (IP:cou
nt): 212.xxx.xxx.xxx:5
Nov  4 08:46:37 mail fail2ban.actions[43837]: NOTICE [roundcube] Ban 212.xxx.xxx.xxx
Nov  4 08:46:37 mail fail2ban.observer[43837]: DEBUG [roundcube] Observer: ban found 212.xxx.xxx.xxx, 3600
Nov  4 08:46:37 mail fail2ban.utils[43837]: DEBUG 7f45e2189730 -- stdout: 'Rule inserted'
Nov  4 08:46:37 mail fail2ban.utils[43837]: DEBUG 7f45e2189730 -- returned successfully 0
Nov  4 08:46:37 mail fail2ban.utils[43837]: DEBUG 7f45e0a0ea80 -- returned successfully 0
Nov  4 08:46:37 mail fail2ban.actions[43837]: DEBUG Banned 1 / 1, 1 ticket(s) in 'roundcube'

syslog

Nov  4 08:46:36 mail roundcube: <9q74l6tm> IMAP Error: Login failed for mail@mydomain.com against 127.0.0.1 from 212.xxx.xxx.xxx.
AUTHENTICATE LOGIN: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /opt/www/roundcubemail-1.5.3/program/li
b/Roundcube/rcube_imap.php on line 211 (POST /mail/?_task=login&_action=login)
Nov  4 08:46:37 mail roundcube: <9q74l6tm> Failed login for mail@mydomain.com from 212.xxx.xxx.xxx in session 9q74l6tm74bg2
u8g (error: 0)
Nov  4 08:46:55 mail kernel: [73095.976585] [UFW BLOCK] IN=ens3 OUT= MAC=52:54:00:14:84:1f:d8:53:9a:15:19:d4:08:00 SRC=31.22
0.3.140 DST=176.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=252 ID=54321 PROTO=TCP SPT=43511 DPT=81 WINDOW=65535 RES=0x00 SYN U
RGP=0
Nov  4 08:46:57 mail kernel: [73097.270387] [UFW BLOCK] IN=ens3 OUT= MAC=52:54:00:14:84:1f:d8:53:9a:15:19:d4:08:00 SRC=211.2
50.172.181 DST=176.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=37036 PROTO=TCP SPT=22496 DPT=23 WINDOW=5059 RES=0x00 SYN
URGP=0

Everything seems to be working fine with UFW apart of 2 issues i noticed above.

Is it possible to change action in a way that it would ban IP with specific port and terminate established connections at the same time?

do i need to switch back to nftables (and continue trobleshooting) to make same logic works?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: Fail2Ban does not create firewall rules for Roundcube

brewer7 wrote:

Nov  4 08:46:37 mail fail2ban.utils[43837]: DEBUG 7f45e2189730 -- stdout: 'Rule inserted'

Seems rule has been successfully inserted.

brewer7 wrote:

do i need to switch back to nftables (and continue trobleshooting) to make same logic works?

iRedMail uses nftables by default, we didn't test ufw, so you're on your own in this case. sad