New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Access logfile for Fail2ban #584

Closed
bilyboy785 opened this Issue Sep 4, 2018 · 12 comments

Comments

6 participants
@bilyboy785
Copy link

bilyboy785 commented Sep 4, 2018

Can we mount a volume for logs to use Fail2Ban ?

@oz123

This comment has been minimized.

Copy link

oz123 commented Sep 9, 2018

I have the same problem, examining the logs of front I see tons of failed access attempts:

front_1      | 172.19.0.1 - - [09/Sep/2018:09:19:45 +0000] "GET /webmail/rainloop/v/1.11.3/static/ckeditor/ckeditor.js?community HTTP/1.0" 200 155583 "https://mail.mydomain.tld/webmail/" "Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
front_1      | 172.19.0.1 - - [09/Sep/2018:09:19:45 +0000] "GET /webmail/rainloop/v/1.11.3/static/css/fonts/rainloop.woff HTTP/1.0" 304 0 "https://mail.mydomain.tld/webmail/rainloop/v/1.11.3/static/css/app.min.css?community" "Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
front_1      | 172.19.0.1 - - [09/Sep/2018:09:19:49 +0000] "GET /webmail/ HTTP/1.0" 200 704 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
front_1      | 172.19.0.1 - - [09/Sep/2018:09:19:49 +0000] "GET /webmail/?/AppData@no-mobile-0/0/7235785309543921/ HTTP/1.0" 200 1709 "https://mail.mydomain.tld/webmail/" "Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
front_1      | 2018/09/09 09:19:50 [info] 9#9: *39 client 181.214.206.87:4210 connected to 0.0.0.0:25
front_1      | 2018/09/09 09:19:55 [info] 9#9: *39 client login failed: "Authentication credentials invalid" while in http auth state, client: 181.214.206.87, server: 0.0.0.0:25, login: "shanna@mail.mydomain.tld"
front_1      | 127.0.0.1 - - [09/Sep/2018:09:19:55 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
front_1      | 2018/09/09 09:20:02 [info] 9#9: *43 client 181.214.206.84:60640 connected to 0.0.0.0:25
front_1      | 127.0.0.1 - - [09/Sep/2018:09:20:07 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
front_1      | 2018/09/09 09:20:07 [info] 9#9: *43 client login failed: "Authentication credentials invalid" while in http auth state, client: 181.214.206.84, server: 0.0.0.0:25, login: "hack@mydomain.tld"
front_1      | 2018/09/09 09:20:24 [info] 10#10: *47 client 181.214.206.87:41362 connected to 0.0.0.0:25
front_1      | 127.0.0.1 - - [09/Sep/2018:09:20:29 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
front_1      | 2018/09/09 09:20:29 [info] 10#10: *47 client login failed: "Authentication credentials invalid" while in http auth state, client: 181.214.206.87, server: 0.0.0.0:25, login: "helena@mail.mydomain.tld"
front_1      | 2018/09/09 09:20:37 [info] 10#10: *51 client 181.214.206.84:34198 connected to 0.0.0.0:25
front_1      | 2018/09/09 09:20:42 [info] 10#10: *51 client login failed: "Authentication credentials invalid" while in http auth state, client: 181.214.206.84, server: 0.0.0.0:25, login: "hacker@mydomain.tld"
front_1      | 127.0.0.1 - - [09/Sep/2018:09:20:42 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
@v1ru535

This comment has been minimized.

Copy link

v1ru535 commented Sep 9, 2018

Same here, so I extract some lines from the docker-compose follow to be able to do the bans afterwards.
If one or more logs (front,smtp...) can be set up it would be great.
Thx

@bilyboy785

This comment has been minimized.

Copy link
Author

bilyboy785 commented Sep 9, 2018

Nice idea @v1ru535 !!
Waiting for this feature <3

@oz123

This comment has been minimized.

Copy link

oz123 commented Sep 9, 2018

It turns out it's not only about ufw but some modifications on docker networking are needed:

https://askubuntu.com/questions/652556/uncomplicated-firewall-ufw-is-not-blocking-anything-when-using-docker

I've spent about 1.5 hours trying different solutions of blocking traffic to mailu containers without success. I'd appreciate it if someone has an idea how to.

In the meanwhile I ended up doing the following to combat those pesky hackers:

sudo iptables -I DOCKER -s <IP of failed attempt> -j DROP

# iptables -L DOCKER
Chain DOCKER (3 references)
target     prot opt source               destination         
DROP       all  --  181.214.206.87       anywhere            
DROP       all  --  178.159.36.53        anywhere            
DROP       all  --  178.159.36.53        anywhere            
DROP       all  --  181.214.206.84       anywhere            
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:imaps
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:submission
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:urd
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:imap2
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:pop3
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:smtp
@v1ru535

This comment has been minimized.

Copy link

v1ru535 commented Sep 9, 2018

Personally I extract some strings from the docker logs and put everything in a log in a screen command.

After that I extract IPs and null routing using ip command like that ip route add blackhole <IP>.

It's waiting to do better naturally, but with that I already have over 2000 banned IPs.

Hope this helps you

@oz123

This comment has been minimized.

Copy link

oz123 commented Sep 9, 2018

I found a useful post about the issue:

http://blog.amigapallo.org/2016/04/14/configuring-fail2ban-and-iptables-to-get-along-with-docker/
another useful post:
https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/

It turns out, that even if you configure fail2ban properly, there is still some issues with blocking attempts to brute force through the web UI, when running behind nginx proxy and docker. This is because the logs will look like this:

front_1      | 2018/09/10 02:14:04 [info] 8#8: *5602 client login failed: "Authentication credentials invalid" while in http auth state, client: 172.19.0.6, server: 0.0.0.0:10143, login: "jacker@mydomain.tld"

There original IP is lost because of the forwarding.

@muhlemmer

This comment has been minimized.

Copy link
Member

muhlemmer commented Oct 14, 2018

See above PR. I was annoyed I couldn't write something useful for the FAQ, so wrote an actual solution.

I'm looking into suitable regex for documentation, but that is not my field of sport. So help would be appreciated. The standard Nginx regex supplied by Fail2Ban don't catch the login fails for Mailu.

@muhlemmer

This comment has been minimized.

Copy link
Member

muhlemmer commented Oct 16, 2018

Attempt 2, using Docker logging drivers. Please have a look.

@muhlemmer

This comment has been minimized.

Copy link
Member

muhlemmer commented Oct 22, 2018

Implemented in #661, we can close this.

@muhlemmer muhlemmer closed this Oct 22, 2018

@muhlemmer muhlemmer added faq/done and removed faq/done labels Oct 22, 2018

@v1ru535

This comment has been minimized.

Copy link

v1ru535 commented Oct 28, 2018

Thanks for this!

I went from version 1.5 to master to get these options, then added the necessary modifications on env and docker-compose.yml.
I added a jail and a rule to ban IPs on this pattern for fail2ban:
client login failed: "Authentication credentials invalid" while in http auth state, client: [IP], server: 0.0.0.0:25, login: "someshit@domain.io"
I filter on "client login failed" and get the IP, then all you have to do is adjust the number of failed login before the ban in fail2ban rule.
Now it works like a charm, thanks for the work.

If you wish I can provide the jail for the faq.

@hoellen

This comment has been minimized.

Copy link
Member

hoellen commented Oct 28, 2018

It would be nice if you could share the complete fail2ban rules here, so we can add it to the FAQ for other users.

@v1ru535

This comment has been minimized.

Copy link

v1ru535 commented Oct 28, 2018

For my environment, I put the log to syslog, so in env:
LOG_DRIVER=journald

For the jail, I've set blackhole route, but it's possible with iptable with:
banaction = %(banaction_allports)s
in replace on
action = route[name=auth-ban]

Jail with maxretry to be adapted according to needs:

# 3 ban in 1 hour > Ban for 1 hour
[auth-ban]
enabled = true
filter = bad-auth
logpath = /var/log/syslog
maxretry = 3
findtime = 3600
action = route[name=auth-ban]
bantime = 3600

Action fail2ban: "action.d/route.conf"
blocktype = blackhole

Filter fail2ban: "filter.d/bad-auth.conf"

# Fail2Ban configuration file
[Definition]

# Option: failregex
# Filter "client login failed" in the Syslog

failregex = .* client login failed: .+ client:\ <HOST>

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

It may also be useful to adjust the bantime of the recidive jail to fine-tune the configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment