Comments (3)
First of all, I no longer get authorization errors in journal.d from mailu-front, it means that fail2ban will never catch failed attempts.
That is not surprising if you have disabled rate limiting and is your problem.
Why not listening on failed attempts then? I can clearly see that these are being logger.
Because Mailu does "better", it only accounts distinct attempts (attempts with a different passwords to avoid getting a user who has just changed his password locked-out as his MUA is retrying to login with the now-old password in the background).
from mailu.
Okay I can see that fail2ban has following regexp in your documentation:
failregex = ^\s?\S+ mailu\-front\[\d+\]: \S+ \S+ \[info\] \d+#\d+: \*\d+ client login failed: \"AUTH not supported\" while in http auth state, client: <HOST>, server:
Meanwhile failed authorization has following format in Mailu 2.0
[info] 12#12: *210 client login failed: "Authentication credentials invalid" while in http auth state, client: 77.73.32.213, server: 0.0.0.0:465, login: "[email protected]"
For sure it won't catch this message because it expect string "AUTH not supported".
Or maybe there is a reason to listen for this format?
I can see that in 1.9 it didn't care about the reason and the regexp was following:
failregex = .* client login failed: .+ client:\ <HOST>
and it is much better.
from mailu.
That is not surprising if you have disabled rate limiting and is your problem.
Because Mailu does "better", it only accounts distinct attempts (attempts with a different passwords to avoid getting a user who has just changed his password locked-out as his MUA is retrying to login with the now-old password in the background).
I see, thank you for quick response. It makes perfect sense for more tolerant security settings. However I fixed my configuration to be more vigiliant and for anyone who would like to have it more rigorous for Mailu 2.0, here is my confinguration:
Steps:
- Follow documentation here https://mailu.io/2.0/faq.html#fail2ban
- Change
/etc/fail2ban/filter.d/bad-auth-bots.conf
to
# Fail2Ban configuration file
[Definition]
failregex = .* client login failed: .+ client:\ <HOST>
ignoreregex =
journalmatch = CONTAINER_TAG=mailu-front
- Change
/etc/fail2ban/filter.d/bad-auth.conf
to
# Fail2Ban configuration file
[Definition]
failregex = Login failed for ([^\s]+) from <HOST>\.$
ignoreregex =
journalmatch = CONTAINER_TAG=mailu-admin
- Change
/etc/fail2ban/jail.d/bad-auth-bots.conf
to
[bad-auth-bots]
enabled = true
backend = systemd
filter = bad-auth-bots
bantime = 7776000
findtime = 600
maxretry = 3
action = docker-action
Changes are following:
- Every failed login attempt to SMTP server is counted.
- Every failed login to admin panel is counted.
- We always lock IP from connecting to all ports. (previously lock happened only on port 25 for SMTP [even though SSL connections were on 465 and it wasn't banned and you could do unlimited calls])
Caveat emptor:
Make sure you pass x-real-ip if serving Mailu behind proxy. Otherwise you'll lock your internal docker IP from connecting and services will start to time-out each-other.
from mailu.
Related Issues (20)
- Traefik Certdumper gets the wrong cert if a "*" is in the name HOT 1
- Unable to log in using /admin
- unable to access Dovecot HOT 1
- IPv6 and Docker userland_proxy
- Unable to Set Up Amazon SES for Sending Email from Mailu [SMTP]
- Connect Mailu to Nextcloud's CalDav/CardDav services
- Customize unbound configuration to enhance DNSSEC, DoT, unbound-control HOT 1
- webmail (roundcube) wouldn't start when using override php file HOT 2
- No volumes after deployment HOT 1
- Feature Request: Use Configurable Domain Instead of Hardcoded 'example.org' in start.py HOT 1
- Where to find the Dockerfile for the mailu/clamav image HOT 1
- snappymail integration broken with TLS_FLAVOR=notls in master HOT 3
- Link to admin UI in roundcube broken for `WEB_WEBMAIL` path with more than two subdirectories HOT 4
- integration with google, google can't send mailu invites HOT 1
- SSL Cert served is Empty (LMTP) from Mailu-front when Mailu is trying to auto respond HOT 1
- Placeholders in autoconfig file are not replaced HOT 1
- ooo is broken when proxy protocol is in use
- Is relay supported by sending domain?
- imap container doesn't support IPv6 clients over proxy-protocol HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mailu.