Access logfile for Fail2ban

[bilyboy785]

Can we mount a volume for logs to use Fail2Ban ?

[oz123]

I have the same problem, examining the logs of front I see tons of failed access attempts:

front_1      | 172.19.0.1 - - [09/Sep/2018:09:19:45 +0000] "GET /webmail/rainloop/v/1.11.3/static/ckeditor/ckeditor.js?community HTTP/1.0" 200 155583 "https://mail.mydomain.tld/webmail/" "Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
front_1      | 172.19.0.1 - - [09/Sep/2018:09:19:45 +0000] "GET /webmail/rainloop/v/1.11.3/static/css/fonts/rainloop.woff HTTP/1.0" 304 0 "https://mail.mydomain.tld/webmail/rainloop/v/1.11.3/static/css/app.min.css?community" "Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
front_1      | 172.19.0.1 - - [09/Sep/2018:09:19:49 +0000] "GET /webmail/ HTTP/1.0" 200 704 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
front_1      | 172.19.0.1 - - [09/Sep/2018:09:19:49 +0000] "GET /webmail/?/AppData@no-mobile-0/0/7235785309543921/ HTTP/1.0" 200 1709 "https://mail.mydomain.tld/webmail/" "Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
front_1      | 2018/09/09 09:19:50 [info] 9#9: *39 client 181.214.206.87:4210 connected to 0.0.0.0:25
front_1      | 2018/09/09 09:19:55 [info] 9#9: *39 client login failed: "Authentication credentials invalid" while in http auth state, client: 181.214.206.87, server: 0.0.0.0:25, login: "shanna@mail.mydomain.tld"
front_1      | 127.0.0.1 - - [09/Sep/2018:09:19:55 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
front_1      | 2018/09/09 09:20:02 [info] 9#9: *43 client 181.214.206.84:60640 connected to 0.0.0.0:25
front_1      | 127.0.0.1 - - [09/Sep/2018:09:20:07 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
front_1      | 2018/09/09 09:20:07 [info] 9#9: *43 client login failed: "Authentication credentials invalid" while in http auth state, client: 181.214.206.84, server: 0.0.0.0:25, login: "hack@mydomain.tld"
front_1      | 2018/09/09 09:20:24 [info] 10#10: *47 client 181.214.206.87:41362 connected to 0.0.0.0:25
front_1      | 127.0.0.1 - - [09/Sep/2018:09:20:29 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
front_1      | 2018/09/09 09:20:29 [info] 10#10: *47 client login failed: "Authentication credentials invalid" while in http auth state, client: 181.214.206.87, server: 0.0.0.0:25, login: "helena@mail.mydomain.tld"
front_1      | 2018/09/09 09:20:37 [info] 10#10: *51 client 181.214.206.84:34198 connected to 0.0.0.0:25
front_1      | 2018/09/09 09:20:42 [info] 10#10: *51 client login failed: "Authentication credentials invalid" while in http auth state, client: 181.214.206.84, server: 0.0.0.0:25, login: "hacker@mydomain.tld"
front_1      | 127.0.0.1 - - [09/Sep/2018:09:20:42 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"

[v1ru535]

Same here, so I extract some lines from the docker-compose follow to be able to do the bans afterwards.
If one or more logs (front,smtp...) can be set up it would be great.
Thx

[bilyboy785]

Nice idea @v1ru535 !!
Waiting for this feature <3

[oz123]

It turns out it's not only about ufw but some modifications on docker networking are needed:

https://askubuntu.com/questions/652556/uncomplicated-firewall-ufw-is-not-blocking-anything-when-using-docker

I've spent about 1.5 hours trying different solutions of blocking traffic to mailu containers without success. I'd appreciate it if someone has an idea how to.

In the meanwhile I ended up doing the following to combat those pesky hackers:

sudo iptables -I DOCKER -s <IP of failed attempt> -j DROP

# iptables -L DOCKER
Chain DOCKER (3 references)
target     prot opt source               destination         
DROP       all  --  181.214.206.87       anywhere            
DROP       all  --  178.159.36.53        anywhere            
DROP       all  --  178.159.36.53        anywhere            
DROP       all  --  181.214.206.84       anywhere            
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:imaps
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:submission
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:urd
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:imap2
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:pop3
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:smtp

[v1ru535]

Personally I extract some strings from the docker logs and put everything in a log in a screen command.

After that I extract IPs and null routing using ip command like that ip route add blackhole <IP>.

It's waiting to do better naturally, but with that I already have over 2000 banned IPs.

Hope this helps you

[oz123]

I found a useful post about the issue:

http://blog.amigapallo.org/2016/04/14/configuring-fail2ban-and-iptables-to-get-along-with-docker/
another useful post:
https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/

It turns out, that even if you configure fail2ban properly, there is still some issues with blocking attempts to brute force through the web UI, when running behind nginx proxy and docker. This is because the logs will look like this:

front_1      | 2018/09/10 02:14:04 [info] 8#8: *5602 client login failed: "Authentication credentials invalid" while in http auth state, client: 172.19.0.6, server: 0.0.0.0:10143, login: "jacker@mydomain.tld"

There original IP is lost because of the forwarding.

[muhlemmer]

See above PR. I was annoyed I couldn't write something useful for the FAQ, so wrote an actual solution.

I'm looking into suitable regex for documentation, but that is not my field of sport. So help would be appreciated. The standard Nginx regex supplied by Fail2Ban don't catch the login fails for Mailu.

[muhlemmer]

Attempt 2, using Docker logging drivers. Please have a look.

[muhlemmer]

Implemented in #661, we can close this.

[v1ru535]

Thanks for this!

I went from version 1.5 to master to get these options, then added the necessary modifications on env and docker-compose.yml.
I added a jail and a rule to ban IPs on this pattern for fail2ban:
client login failed: "Authentication credentials invalid" while in http auth state, client: [IP], server: 0.0.0.0:25, login: "someshit@domain.io"
I filter on "client login failed" and get the IP, then all you have to do is adjust the number of failed login before the ban in fail2ban rule.
Now it works like a charm, thanks for the work.

If you wish I can provide the jail for the faq.

[hoellen]

It would be nice if you could share the complete fail2ban rules here, so we can add it to the FAQ for other users.

[v1ru535]

For my environment, I put the log to syslog, so in env:
LOG_DRIVER=journald

For the jail, I've set blackhole route, but it's possible with iptable with:
banaction = %(banaction_allports)s
in replace on
action = route[name=auth-ban]

Jail with maxretry to be adapted according to needs:

# 3 ban in 1 hour > Ban for 1 hour
[auth-ban]
enabled = true
filter = bad-auth
logpath = /var/log/syslog
maxretry = 3
findtime = 3600
action = route[name=auth-ban]
bantime = 3600

Action fail2ban: "action.d/route.conf"
blocktype = blackhole

Filter fail2ban: "filter.d/bad-auth.conf"

# Fail2Ban configuration file
[Definition]

# Option: failregex
# Filter "client login failed" in the Syslog

failregex = .* client login failed: .+ client:\ <HOST>

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

It may also be useful to adjust the bantime of the recidive jail to fine-tune the configuration.

[flayks]

For my environment, I put the log to syslog, so in env:
LOG_DRIVER=journald

For the jail, I've set blackhole route, but it's possible with iptable with:
banaction = %(banaction_allports)s
in replace on
action = route[name=auth-ban]

Jail with maxretry to be adapted according to needs:

# 3 ban in 1 hour > Ban for 1 hour
[auth-ban]
enabled = true
filter = bad-auth
logpath = /var/log/syslog
maxretry = 3
findtime = 3600
action = route[name=auth-ban]
bantime = 3600

Action fail2ban: "action.d/route.conf"
blocktype = blackhole

Filter fail2ban: "filter.d/bad-auth.conf"

# Fail2Ban configuration file
[Definition]

# Option: failregex
# Filter "client login failed" in the Syslog

failregex = .* client login failed: .+ client:\ <HOST>

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

It may also be useful to adjust the bantime of the recidive jail to fine-tune the configuration.

I figured out that I have a lot of connections attempts from weird IPs and wanted to add a jail to fail2ban to block it, but I don't have much knowledge with it. Would you mind share your process to achieve that? That would be super useful! Thanks