docker-mailserver + roundcube + fail2ban = one user locks out everybody

[peracchi]

I have docker-mailserver on one container and roudcube on another container.

Both are "connected" by an internal docker network "caddy_net". I use Caddy as reverse proxy.

Roundcube reaches docker-mailserver by name using an internal IP like 172.18.0.1.

When one user types the wrong password fail2ban prevents everybody using Roundcube webmail from login.

Any ideas on how to prevent this behavior and/or log/ban the remote IP of the user instead of container's internal IP?

[pvergezac]

Fail2ban use user ip to block retry attempt from user, but your revers-proxy mask real user ip.
Configure Caddy to send X-Forwarded-for http header.

[peracchi]

Thanks for the idea, trying to implement right now!

I put on my Caddyfile

        reverse_proxy http://roundcube:80 {
                header_up X-Real-IP {remote_host}
        }

Roundcube's container received the real IP

errors: <6fc8ae37> IMAP Error: Login failed for user@domain against mail.domain from 172.18.0.6 (X-Real-IP: x.y.z.w,X-Forwarded-For: x.y.z.w). AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)

But in docker-mailserver only the internal IP address of the Docker's gateway, that is 172.18.0.1, is registered.

May 29 15:58:04 mail dovecot: auth: ldap(user@domain,172.18.0.1,<BHKLHivgzNisEgAB>): Password mismatch (for LDAP bind) (SHA1 of given password: 2e6f9b)
May 29 15:58:06 mail dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<user@domain>, method=PLAIN, rip=172.18.0.1, lip=172.18.0.14, TLS, session=<BHKLHivgzNisEgAB>

Do you know wher else I can look/change?

[wernerfred]

Read this Page: https://docker-mailserver.github.io/docker-mailserver/edge/examples/tutorials/mailserver-behind-proxy/

It might help according to your setup

[casperklein]

You could whitelist the Roundcube container in docker-mailserver's fail2ban and use a separate fail2ban in the roundcube container directly.

[peracchi]

I noticed that Roundcube's container gets the Caddy container IP - 172.18.0.6 - and the real IP - x.y.z.w - that is using Firefox to get to Roundcube.

Docker-mailserver appears "to see" only the Docker's network gateway IP - 172.18.0.1 - and his own IP - 172.18.0.14.

@casperklein I am trying to figure out how to use your suggestion.

[casperklein]

Both are "connected" by an internal docker network "caddy_net". I use Caddy as reverse proxy.

You should be able to reach your roudcube container as well from within the DMS container.

apt update
apt install iputils-ping
ping roundcube # should be the container name

You can adjust the fail2ban settings. The option you might add is:

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = roundcube

Not testet, but I think this should work.

[peracchi]

I created the file fail2ban-fail2ban.cf with the content ignoreip = roundcube inside my directory ~/docker/mailserver/config and after issue a docker-compose restart the file /etc/fail2ban/fail2ban.local with ignoreip = roundcube was created inside docker-mailserver container.

Tried to login four times with wrong password, apparently do not banned my IP.

But an error is showing now when I issue ~/docker/mailserver/setup.sh fail2ban

2022-05-29 16:53:00,316 fail2ban                [3958]: ERROR   Init of command line failed
[   INF   ]  No IPs have been banned

[peracchi]

On which file inside my ./config directory I must put ignoreip = roundcube?

fail2ban-jail.cf or fail2ban-fail2ban.cf

[peracchi]

When I tried to put ignoreip = roundcube in fail2ban-jail.cf I got another error when I issue ~/docker/mailserver/setup.sh fail2ban

2022-05-29 17:15:37,174 fail2ban                [3296]: ERROR   Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?
[   INF   ]  No IPs have been banned

[casperklein]

On which file inside my ./config directory I must put ignoreip = roundcube?

fail2ban-jail.cf or fail2ban-fail2ban.cf

fail2ban-jail.cf

The file should look like:

[DEFAULT]
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = roundcube

[peracchi]

I just observed that only two attempts with wrong password put the address in the ban list. I thought that were three attempts...

Roundcube log

errors: <5f1e8733> IMAP Error: Login failed for user@domain against mail.domain from 172.18.0.6 (X-Real-IP: x.y.z.w,X-Forwarded-For: x.y.z.w). AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
172.18.0.6 - - [29/May/2022:20:26:34 +0000] "POST /?_task=login HTTP/1.1" 401 3105 "https://mail.domain/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"

errors: <5f1e8733> IMAP Error: Login failed for user@domain against mail.domain from 172.18.0.6 (X-Real-IP: x.y.z.w,X-Forwarded-For: x.y.z.w). AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
172.18.0.6 - - [29/May/2022:20:26:58 +0000] "POST /?_task=login HTTP/1.1" 401 3104 "https://mail.domain/?_task=login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"

Docker-Mailserver log

May 29 17:26:39 mail dovecot: auth: ldap(user@domain,172.18.0.1,<cpZWWyzgwoGsEgAB>): Password mismatch (for LDAP bind) (SHA1 of given password: 17f9b6)

May 29 17:26:58 mail dovecot: auth: ldap(user@domain,172.18.0.1,</eWBXCzgzt6sEgAB>): Password mismatch (for LDAP bind) (SHA1 of given password: 96a62c)

setup.sh

echo ; ~/docker/mailserver/setup.sh fail2ban ; echo

Banned in dovecot: 172.18.0.1