Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    How to protect webapp -- fail2ban

    Kopano WebApp
    3
    13
    5723
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • mcdaniels
      mcdaniels @Sebastian last edited by

      @Sebastian
      Hey, I know the link you mentioned already. ;-)

      This is a nice description, but did not work in my case (different logentry.)

      If I am able to find a solution I will post it!

      1 Reply Last reply Reply Quote 0
      • Sebastian
        Sebastian Kopano last edited by

        @mcdaniels ah, ok… ;)

        try something like (untested)

        failregex = client <HOST>:4453] Kopano WebApp user: *.? authentication failure at MAPI
        
        1 Reply Last reply Reply Quote 0
        • mcdaniels
          mcdaniels last edited by mcdaniels

          @Sebastian
          as the whole thing is apache-related I included “before = apache.common.conf” in the filter

          After some fiddeling around with regex (never used it before) I got the following “solution”:

          1.) in /etc/fail2ban/filter.d/kopano-webapp-login.conf

          # FILE : /etc/fail2ban/filter.d/kopano-webapp-login.conf
          # Fail2Ban configuration file
          [INCLUDES]
          before = apache-common.conf
          
          [Definition]
          # Option:  failregex
          # Notes.:  regex to match the password failures messages in the logfile. The
          #          host must be matched by a group named "host". The tag "<HOST>" can
          #          be used for standard IP/hostname matching and is only an alias for
          #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
          # Values:  TEXT
          #
          
          failregex =  ^%(_apache_error_client)s Kopano WebApp user: .+?(?=:): authentication failure at MAPI
          
          ignoreregex =
          

          Hint:.+?(?=:) reads all characters until the next :** which covers any kind of “username given” in the log.

          2.) /etc/fail2ban/jail.local

          [kopano-webapp]
          enabled = true
          port = https
          filter = kopano-webapp-login
          logpath = /var/log/apache2/kopano_ssl_error.log
          
          

          Finally…

          
          2017-03-09 19:20:56,586 fail2ban.actions[26156]: WARNING [kopano-webapp] Ban xx.119.yyy.141
          

          :-)

          This side was a great help: http://regexr.com/

          1 Reply Last reply Reply Quote 1
          • umgfoin
            umgfoin @Sebastian last edited by umgfoin

            @Sebastian
            These examples rely on z-push logging IP/host-information to z-push-error.log.

            With config (on Z-Push 2.3.6beta0+3)

            define('LOGLEVEL', LOGLEVEL_WARN);
            define('LOGAUTHFAIL', true);
            

            no IP-information reaches the logs - a single unauthorized authentification attempt produces the following lines:

            # cat /var/log/z-push/z-push-error.log
            10/03/2017 10:32:04 [18885] [FATAL] [unknown] Exception: (AuthenticationRequiredException) - Access denied. Please send authorisation information
            10/03/2017 10:32:04 [18885] [FATAL] [unknown] Exception: (AuthenticationRequiredException) - Access denied. Please send authorisation information
            10/03/2017 10:32:17 [17858] [ERROR] [haderlump] KopanoBackend->Logon(): login failed with error code: 0xFFFFFFFF80040111
            10/03/2017 10:32:17 [17858] [ERROR] [haderlump] KopanoBackend->Logon(): login failed with error code: 0xFFFFFFFF80040111
            10/03/2017 10:32:17 [17858] [FATAL] [haderlump] Exception: (AuthenticationRequiredException) - Access denied. Username or password incorrect
            10/03/2017 10:32:17 [17858] [FATAL] [haderlump] Exception: (AuthenticationRequiredException) - Access denied. Username or password incorrect
            

            Is there any other switch to have orginating IPs pushed to the logs?

            thanks,
            umgfoin.

            Sebastian 1 Reply Last reply Reply Quote 0
            • Sebastian
              Sebastian Kopano @umgfoin last edited by

              @umgfoin Did you look at https://wiki.z-hub.io/display/ZP/Fail2Ban+support?

              You have to enable LOGAUTHFAIL to get this in the log.

              1 Reply Last reply Reply Quote 0
              • umgfoin
                umgfoin last edited by umgfoin

                Hi Sebastian,
                it is enabled - the above is my log-output with define('LOGAUTHFAIL', true);.

                Sebastian 1 Reply Last reply Reply Quote 0
                • Sebastian
                  Sebastian Kopano @umgfoin last edited by

                  @umgfoin I just tested that because I couldn’t believe it and (of course) you are right.

                  The log message is logged only to the default log file, but not to the error logfile.
                  This is because it’s logged at WARN level and these are not (anymore?) written to the error log.

                   [WARN] [test] IP: 192.168.42.1 failed to authenticate user 'test'
                  

                  I created a ticket for this https://jira.z-hub.io/browse/ZP-1182.
                  There were several changes to the logging for 2.3.x and I thought we did also write warns to the error log before, but I might remember wrong.

                  For now, you could just use the standard z-push.log for fail2ban or change the loglevel of that log statement in index.php, around line 194 to LOGLEVEL_ERROR.

                  1 Reply Last reply Reply Quote 0
                  • mcdaniels
                    mcdaniels last edited by mcdaniels

                    By the way, I think a even better way is to use this. Just tested. It is not relying on the :

                    failregex =  ^%(_apache_error_client)s Kopano WebApp user:.* authentication failure at MAPI
                    1 Reply Last reply Reply Quote 0
                    • umgfoin
                      umgfoin last edited by umgfoin

                      No worries - dev’s everyday life…

                      and I thought we did also write warns to the error log before, but I might remember wrong.

                      I’m relatively sure, too, it once was logged to z-push-error.
                      And, just verified - IP is logged to standard z-push.log.

                      If working on this - do you see any chance to have HTTP_X_REAL_IP logged, if set?

                      e.g. lib/request/request.php

                        if(isset($_SERVER["REQUEST_METHOD"]))
                                  self::$method = self::filterEvilInput($_SERVER["REQUEST_METHOD"], self::LETTERS_ONLY);
                              // TODO check IPv6 addresses
                              if(isset($_SERVER["HTTP_X_REAL_IP"]))
                                  self::$remoteAddr = self::filterEvilInput($_SERVER["HTTP_X_REAL_IP"], self::NUMBERSDOT_ONLY);
                              elseif(isset($_SERVER["REMOTE_ADDR"]))
                                  self::$remoteAddr = self::filterEvilInput($_SERVER["REMOTE_ADDR"], self::NUMBERSDOT_ONLY);
                      

                      and autodiscover/autodicover.php

                       if (defined('LOGAUTHFAIL') && LOGAUTHFAIL != false){
                           if(isset($_SERVER["HTTP_X_REAL_IP"]))
                               $remoteAddrProp = "HTTP_X_REAL_IP";
                           else
                               $remoteAddrProp = "REMOTE_ADDR";
                      
                           ZLog::Write(LOGLEVEL_WARN, sprintf("Unable to complete autodiscover because login failed for user with email '%s' from IP %s.", $incomingXml->Request->EMailAddress, $remoteAddrProp));
                       }
                      

                      This would be great for nginx/php-fpm setups, where you otherwise see only localhost’s ip in the logs or z-push-top.

                      I tried define('USE_X_FORWARDED_FOR_HEADER', true); but this seems not to help in this respect.

                      ++umgfoin.

                      1 Reply Last reply Reply Quote 0
                      • Sebastian
                        Sebastian Kopano last edited by

                        I created a ticket for the usage of HTTP_X_REAL_IP: https://jira.z-hub.io/browse/ZP-1183

                        umgfoin 1 Reply Last reply Reply Quote 0
                        • umgfoin
                          umgfoin @Sebastian last edited by

                          @Sebastian
                          Great - thank you!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post