1 Topic by Bronko (edited by Bronko 2023-10-24 06:46:30)

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Topic: Fail2Ban 'X-Forwarded-For' doesn't block?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.6
- Deployed with iRedMail downloadable installer
- Linux/BSD distribution name and version: ubuntu 22.04.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

can find this logged (without timestamps):

/var/log/mail.log

...
mail roundcube: <qvbo6vad> Failed login for user from 10.200.0.2 (X-Forwarded-For: 77.91.85.107) in session qvbo6vadvjbd34mg (error: 0)
mail roundcube: <qvbo6vad> IMAP Error: Login failed for user@mydomain.com against 127.0.0.1 from 10.200.0.2 (X-Forwarded-For: 77.91.85.107). AUTHENTICATE LOGIN: A0002 NO [AUTHENTICATIONFAILED] Authentication failed. in /opt/www/roundcubemail-1.6.3/program/lib/Roundcube/rcube_imap.php on line 211 (POST /mail/?_task=login&_action=login)
...

/var/log/fail2ban.log

...
mail fail2ban.filter[291178]: INFO [dovecot] Ignore 127.0.0.1 by ignoreself rule
mail fail2ban.filter[291178]: INFO [roundcube] Found 77.91.85.107 - 2023-10-23 22:50:00
mail fail2ban.filter[291178]: INFO [dovecot] Ignore 127.0.0.1 by ignoreself rule
mail fail2ban.filter[291178]: INFO [roundcube] Found 77.91.85.107 - 2023-10-23 22:50:12
mail fail2ban.actions[291178]: NOTICE [roundcube] Ban 77.91.85.107
mail fail2ban.filter[291178]: INFO [dovecot] Ignore 127.0.0.1 by ignoreself rule
mail fail2ban.filter[291178]: INFO [roundcube] Found 77.91.85.107 - 2023-10-23 22:50:25
...
mail fail2ban.filter[291178]: INFO [dovecot] Ignore 127.0.0.1 by ignoreself rule
mail fail2ban.filter[291178]: INFO [roundcube] Found 77.91.85.107 - 2023-10-23 22:52:09
mail fail2ban.actions[291178]: WARNING [roundcube] 77.91.85.107 already banned
mail fail2ban.filter[291178]: INFO [dovecot] Ignore 127.0.0.1 by ignoreself rule
mail fail2ban.filter[291178]: INFO [roundcube] Found 77.91.85.107 - 2023-10-23 22:52:24
...

Rule is in place:

# nft list ruleset
...
    set addr-set-roundcube {
        type ipv4_addr
        elements = { 77.91.85.107 }

...

But Roundcube is still accessible...

Any hints for me here?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Bronko (edited by Bronko 2023-10-26 06:04:54)

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

Additional information:
Regarding roundcube access on iRedMail server it is handled by HaProxy on Firewall (direct portforwarding behind NAT only for smtp)

In my opinion today ;-) Fail2Ban does the job, but the requesting client IP is still the internal Firewall interface (10.200.0.2), not the extended information by X-Forwarded-For IP (77.91.85.107) which is in nft ruleset and blocked.

To block 10.200.0.2 doesn't make sense, with or without X-Forwarded-For (HaProxy configurable option) information.

So nftables would have to inspect the packet's content and parse the client $remote_addr headers like X-Forwarded-For usually. How to do so, when ip- and nftables work on tcp layer but we need packet layer here?

3 Reply by Cthulhu (edited by Cthulhu 2023-10-26 06:42:03)

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 907

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

you need to use masquerade or modify the filter to capture forwarded ip

edit: nvm, latest filterset captures this already

all you could do is ban it manually n the firewall of the proxy server via a script

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

Please adjust the order of filters like this one:
https://github.com/iredmail/iRedMail/co … cde96cca35

Let me know how it works.

5 Reply by Bronko (edited by Bronko 2023-10-27 05:27:16)

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

ZhangHuangbin wrote:

Please adjust the order of filters like this one:
https://github.com/iredmail/iRedMail/co … cde96cca35

Let me know how it works.

Oh...Thanks, HAProxy is already regarded, but as described, the filter set (your tuning too) catched the X-Forwarded-For IP perfect, but the nftables action at /etc/fail2ban/jail.d/roundcube.local doesn't inspect the packets content as iptables it could:

RedHat Community:x-forward-for and Firewalld

iptables -I INPUT 1 -p tcp --dport 80 -m string --algo bm --string 'X-Forwarded-For:' -j DROP

Some other discussions:
https://serverfault.com/questions/82567 … oxy#825679
https://www.christophe-casalegno.com/ov … lbip-iplb/
https://www.reddit.com/r/selfhosted/com … banned_if/

We moved in IRedMail from iptables to nftables without this possibility, right?

Cthulhu wrote:

all you could do is ban it manually n the firewall of the proxy server via a script

Firewall and HAProxy is on pfsense... Would be nicer to have it on iRedMail server directly by good old iptables...

6 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 907

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

i dun like nftables myself and thus running iptables, just needs reconfiguration on some files

7 Reply by Bronko

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

ZhangHuangbin wrote:

Let me know how it works.

Do you have different experiences for X-Forwarded-For ?

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

Did you read my last reply (#4) in this thread? https://forum.iredmail.org/post87577.html#p87577

Fail2ban was configured by iRedMail to use multiple rules to filter Roundcube log:

[Definition]
failregex = roundcube.* Failed login for (.*) from <HOST>\. AUTHENTICATE LOGIN
            roundcube.* Failed login for (.*) from <HOST> in session
            roundcube.* Failed login .*\(X-Forwarded-For: <HOST>\) in session
            roundcube.* Error: Login failed for (.*) from <HOST>\. (LOGIN: Authentication failed|AUTHENTICATE LOGIN)

The "Failed login" error matches rule 1 first, but what we expected is rule 3 to ban real client IP address instead of HAProxy server. So we adjusted the order of rules, to match log generated by HAProxy first, this should fix your issue.

9 Reply by Bronko

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

ZhangHuangbin wrote:

Did you read my last reply (#4) in this thread?

For sure, right by next post (#5). Read again please...

Client IP is in ban from the beginning, but it seems nftables doesn't have the functionality to block these Client IP encapsulated in HAProxy IP packet, as iptables it has (post #5).

10 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 907

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

https://manpages.debian.org/bookworm/nf … XPRESSIONS

I guess you can capture it with this, but i dont have any experience with this

11 Reply by Bronko

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

Cthulhu wrote:

https://manpages.debian.org/bookworm/nf … XPRESSIONS

I guess you can capture it with this, but i dont have any experience with this

Thanks a lot, but I don't think so, because as I understand this is a routing feature and the client IP to block doesn't matter here for routing due to NAT (post #2)... or I miss something?

12 Reply by Bronko

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

@ZhangHuangbin

Did you test these X-Forwarded-For fail2ban filter rule set works for nftables before switching from iptables in the past?

13 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

I'm a little lost, which shell command failed?

14 Reply by Bronko

  • Bronko
  • Member
  • Offline
  • Registered: 2009-10-20
  • Posts: 113

Re: Fail2Ban 'X-Forwarded-For' doesn't block?

ZhangHuangbin wrote:

I'm a little lost, which shell command failed?

Nothing failed, (post #9): Client IP is in ban from the beginning, but it seems nftables doesn't have the functionality to block these Client IP encapsulated in HAProxy IP packet, as iptables it has (post #5).

Is this the disadvantage of switching from iptables to nftables... ?

To be honest I have never had any fail2ban against roundcube since all the 14 years of using iRedMail.

But this should doesn't matter ;-)