To BAN unauthorized access to RainLoop in Fail2Ban

Post autor: **jurek** » 19 lut 2022, 19:12

from: https://blog.artwolf.in/a?ID=b5e8e2fb-6 ... 694d4376f2

Introduction

Web-based simple mail client RainLoop By installing the server, you can access from a Web browser to your e-mail account.

In this article, Fail2Ban and measures unauthorized access to the RainLoop using, and BAN the IP address of the client that attempts to unauthorized login.

Audience

RainLoop server administrator to introduce.

environment

Debian 9.9
Fail2Ban 0.9.6-2
RainLoop v1.13.0

Installation of Fail2Ban

Installed by APT.

$ sudo apt install fail2ban
$ sudo service fail2ban start

Installation of RainLoop

RainLoop the official site to download the "Community edition" from /var/www/rainloop/and expand to.

The basic configuration is omitted because it is described in other articles.

The measures of unauthorized access

Change the setting of RainLoop and Fail2Ban. 1

Set the log output of RainLoop

Configuration files of RainLoop is /var/www/rainloop/data/_data_/_default_/configs/application.inilocated in.

Change the following items in the [logs] section, align the the default time zone at the time of the log output is set to UTC in Japan Standard Time (system of time zones).

In addition, the file name of the log that is output auth-fail.loghave to.

application.ini

time_offset = 9 ;<----------------!!!!!!!! VERY IMPORTANT !!!!!!!! <---------------

auth_logging = On
auth_logging_filename = "fail2ban/auth-fail.log"
auth_logging_format = "[{date:Y-m-d H:i:s}] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"

Add the settings to the Fail2Ban

/etc/fail2ban/filter.d/rainloop.confCreate a auth-fail.logSet the filter that matches the output of.

rainloop.conf

[Definition]
failregex = Auth failed: ip= user=.* host=.* port=.*$

In addition, /etc/fail2ban/jail.localto create, and then add the settings for RainLoop. Here, you create ffilter.d/rainloop.confset to filter, to target log auth-fail.logto specify the.

jail.local

[rainloop]
enabled = true
filter = rainloop
logpath =/var/www/rainloop/data/_data_/_default_/logs/fail2ban/auth-fail.log

Once you have created a configuration file, fail2ban-clientit reads the configuration from the command.

$ sudo fail2ban-client reload

As a result, jail.confbased on the setting of, the IP address of the client that failed to five times login to within 600 seconds to 600 seconds BAN, it will be set iptables to block access to the server. It should be noted that, if you want to change this setting also jail.confdoes not change, jail.localthe overrides to add a new item.

Operation check

/var/log/fail2ban.logFrom, failed and the target of BAN of login you can check. In addition, iptables -Lfrom the command Chain f2b-rainloop you can see that has been added.

It should be noted that, when checking the operation for between would no longer can be connected to the server via SSH, which is BAN Let's attention.