Discussion:
[Fwd: Re: CentOS + Kolab + Fail2Ban + IMAP]
ladas
2018-05-07 09:39:50 UTC
Permalink
Hi Mihai.
Unfortunately not. Since last update I can see in roundcube logs only
https access into Roundcube web interface. Not more :(
ladas
This should be in apache's log or better in roundcube if failed
logins are logged but probably you will need to adjust the filters
Good morning to everyone in user list.
Has someone any experience how to detect bad login IP address at
IMAP protocol? At maillog I can see only 127.0.0.1 IP address, at
guam logs is nothing :( At windows I can use Outlook with
ActiveSync where source IP is logged but at linux with Evolution
or Kontact client I can use just IMAP protocol. Unfortunately I
did not find "attacker" source IP address + imap bad login notice
at any log :(
Thank you for any ideas.
Greetings,
ladas
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
 
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Lars
2018-05-10 17:39:54 UTC
Permalink
Hi ladas,

look at

/var/log/roundcubemail/userlogins

I get something like

[15-Mar-2018 13:20:31,062769 +0100]: <vtn5nchc> Failed login for ...
from 91.109.28.144 in session vtn5nchcuuphqc2nlnu3koom66 (error: 0)

HTH
Lars
Hi Mihai.
Unfortunately not. Since last update I can see in roundcube logs only
https access into Roundcube web interface. Not more :(
ladas
This should be in apache's log or better in roundcube if failed
logins are logged but probably you will need to adjust the filters
Good morning to everyone in user list.
Has someone any experience how to detect bad login IP address at
IMAP protocol? At maillog I can see only 127.0.0.1 IP address, at
guam logs is nothing :( At windows I can use Outlook with
ActiveSync where source IP is logged but at linux with Evolution
or Kontact client I can use just IMAP protocol. Unfortunately I
did not find "attacker" source IP address + imap bad login notice
at any log :(
Thank you for any ideas.
Greetings,
ladas
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Skale, Franz
2018-05-11 09:00:31 UTC
Permalink
Hi,
Therefore i disabled guam and have written my own fail2ban rules
(Postfix, cyrus, roundcube).
Also, the current guam version isn't stable. I posted a strace some time
ago. (Orphaned threads).
It's quite easy to disable guam !
Disable the service (systemctl disable guam.service).
Change /etc/cyrus.conf to bind to the relevant ports. (disabling guam).
E.g:
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="hostname.domain.com:imap" prefork=10
imaps cmd="imapd -s -T 660"
listen="hostname.domain.com:imaps" prefork=10
pop3 cmd="pop3d" listen="hostname.domain.com:pop3" prefork=5
pop3s cmd="pop3d -s -T 660"
listen="hostname.domain.com:pop3s" prefork=5
sieve cmd="timsieved" listen="hostname.domain.com:sieve"
prefork=0

imaplocal cmd="imapd" listen="localhost:imap" prefork=10
imapslocal cmd="imapd -s -T 660" listen="localhost:imaps"
prefork=10
pop3local cmd="pop3d" listen="localhost:pop3" prefork=5
pop3slocal cmd="pop3d -s -T 660" listen="localhost:pop3s"
prefork=5
sievelocal cmd="timsieved" listen="localhost:sieve" prefork=0

ptloader cmd="ptloader -d9"
listen="/var/lib/imap/ptclient/ptsock" prefork=1

# these are only necessary if receiving/exporting usenet via NNTP
#nntp cmd="nntpd" listen="nntp" prefork=3
#nntps cmd="nntpd -s" listen="nntps" prefork=1

# at least one LMTP is required for delivery
#lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1

# this is only necessary if using notifications
notify cmd="notifyd" listen="/var/lib/imap/socket/notify"
proto="udp" prefork=1
}

Rgds.
Franz
Hi everybody.
Yes, that is the problem. I can see that some user try to log in with
no success, but IP address is localhost 172.0.0.1 And this is not
possible to use for fail2ban. I need to get correct source IP address
of the client to be possible to use it in a firewall rule.
Greetings,
ladas
If not, you should set $config['log_logins'] = true; in
/etc/roundcubemail/config.inc.php
The question was about IMAP. What webmail does is irrelevant. ps. I
don't know if Guam implements any options to log the IP or pass the
real IP to cyrus.
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
L.Slanina
2018-05-14 21:09:59 UTC
Permalink
Hi everybody.
Sorry for late answer, I was outside of my office.
Thank you Franz for advice. At the beginning it seems complicated, but
at the end copy/paste and a bit modifications and it works! I found
correct IPs' at maillog so it works with fail2ban too which was my
target. Thank you very much for help.
Greetings, ladas
Hi,
Therefore i disabled guam and have written my own fail2ban rules 
(Postfix, cyrus, roundcube).
Also, the current guam version isn't stable. I posted a strace some
time 
ago. (Orphaned threads).
It's quite easy to disable guam !
Disable the service (systemctl disable guam.service).
Change /etc/cyrus.conf to bind to the relevant ports. (disabling guam).
# UNIX sockets start with a slash and are put into
/var/lib/imap/sockets
SERVICES {
     # add or remove based on preferences
     imap        cmd="imapd" listen="hostname.domain.com:imap"
prefork=10
     imaps        cmd="imapd -s -T 660" 
listen="hostname.domain.com:imaps" prefork=10
     pop3        cmd="pop3d" listen="hostname.domain.com:pop3"
prefork=5
     pop3s        cmd="pop3d -s -T 660" 
listen="hostname.domain.com:pop3s" prefork=5
     sieve        cmd="timsieved" listen="hostname.domain.com:sieve" 
prefork=0
     imaplocal        cmd="imapd" listen="localhost:imap" prefork=10
     imapslocal        cmd="imapd -s -T 660"
listen="localhost:imaps" 
prefork=10
     pop3local        cmd="pop3d" listen="localhost:pop3" prefork=5
     pop3slocal        cmd="pop3d -s -T 660"
listen="localhost:pop3s" 
prefork=5
     sievelocal        cmd="timsieved" listen="localhost:sieve"
prefork=0
     ptloader    cmd="ptloader -d9" 
listen="/var/lib/imap/ptclient/ptsock" prefork=1
     # these are only necessary if receiving/exporting usenet via
NNTP
     #nntp        cmd="nntpd" listen="nntp" prefork=3
     #nntps        cmd="nntpd -s" listen="nntps" prefork=1
     # at least one LMTP is required for delivery
     #lmtp        cmd="lmtpd" listen="lmtp" prefork=0
     lmtpunix    cmd="lmtpd" listen="/var/lib/imap/socket/lmtp"
prefork=1
     # this is only necessary if using notifications
     notify    cmd="notifyd" listen="/var/lib/imap/socket/notify" 
proto="udp" prefork=1
}
Rgds.
Franz
Hi everybody.
Yes, that is the problem. I can see that some user try to log in with
no success, but IP address is localhost 172.0.0.1 And this is not
possible to use for fail2ban. I need to get correct source IP address
of the client to be possible to use it in a firewall rule.
Greetings,
ladas
If not, you should set $config['log_logins'] = true; in
/etc/roundcubemail/config.inc.php
The question was about IMAP. What webmail does is irrelevant. ps. I
don't know if Guam implements any options to log the IP or pass the
real IP to cyrus.
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users
Mihai Badici
2018-05-10 18:59:21 UTC
Permalink
Ah right, it's about guam, I don't use it and I considered the logins
from 127.0.0.1 as coming from roundcube , my fault...
If not, you should set
$config['log_logins'] = true;
in /etc/roundcubemail/config.inc.php
The question was about IMAP. What webmail does is irrelevant.
ps. I don't know if Guam implements any options to log the IP or pass the real IP to cyrus.
Loading...