good morning,
i have tested the fail2ban today for knowing if it works. it was a bit weird. i open the website from outside of my network to log on to sogo. i try to log in with wrong password for do the check. after 3 times i got an email that the ip adress xxx.xxx.xxx.xx is banned. the weird thing is, that the ip adress was my own extern adress. can someone confirm this?
Hi @hucky ,
This means that F2B works correctly.
If you donât want as your IP (or other(s)) to be banned, put it in the white list.
nope, it is not. normal the ip who is try to log on should be banned, but not the external adress of my server, right?
But you said that you have tried to login from outside your network (LAN).
This means that you reach the server from WAN (external IP).
Can you find your IP in the sogo log ?
Use grep
grep -srni âxxxxxxxxâ /var/log/sogo*
Post the relevant part
sure, otherwise it has no sense. if someone try to log on at for example the sogo webgui and try to log on, it has to ban the ip adress of the system who try to log on, not my external ip adress, right? cause if fail2ban only ban my external ip adress the attack goes further because the ip adress from the system who try to log in is not banned.
Sorry!
You are right!
My mistake!
Should be banned the IP from where you try to login, not your server IP!
i dont find the ip in the sogo.log at sogo log it shows:
Feb 23 08:40:46 sogod [2973]: SOGoRootPage Login from âxxx.xxx.xxx.â for user âHgjgâ might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Feb 23 08:40:46 sogod [2973]: xxx.xxx.xxx.xxx âPOST /SOGo/connect HTTP/1.1â 403 34/57 0.070 - - 0
Feb 23 08:40:47 sogod [2973]: <0x0x7f927e99baf0[LDAPSource]> <NSException: 0x7f927fea4a00> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{âerror_codeâ = 49; login = âsamaccountname=Hgjg,dc=xxx.xxx.,dc=lanâ; }
2017-02-23 08:40:47.753 sogod[2973:2973] ERROR(-[NGLdapSearchResultEnumerator nextObject]): does not support result references yet âŠ
Feb 23 08:40:47 sogod [2973]: SOGoRootPage Login from âxxx.xxx.xxx.xxxâ for user âHgjgâ might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Feb
Login from âxxx.xxx.xxx.xxxâ for user âHgjgâ might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
sorry, in that part it shows my extern webadress like:
Login from âtest.sogo.deâ for user âHgjgâ might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
I think your password has expired by one day.
nope, that user does not exist and the password was only a silly testpassword. i think that sogo use the external domain adress in the log, if it is that way, fail2ban can not ban correct.
Would you mind ti send me the full logo log by email, i would to look something.
Probably the gateway of ns gives back wrong information to sogo
Can you try on the lan (uncheck the lan exeption in the fail2ban pane)
@hucky @GG_jr @all I need your help here.
Well⊠simply we do a reverse proxy to have a nice URL/SOGo, instead of URL:20000 and sogo keeps the incoming IP/domain name. I should/could do some fights with mod_remoteip or find a workaround like I did sometime
do in a terminal
tailf /var/log/httpd/ssl_access_log
and take a look if the external IP is well caught .
for a bad login I have
192.168.12.25 - - [23/Feb/2017:18:51:11 +0100] "POST /SOGo/connect HTTP/1.1" 403 34
for a good login I have
192.168.12.25 - - [23/Feb/2017:18:55:58 +0100] "POST /SOGo/connect HTTP/1.1" 200 41
192.168.12.25 - - [23/Feb/2017:18:56:00 +0100] "GET /SOGo//toto HTTP/1.1" 302 -
192.168.12.25 - - [23/Feb/2017:18:56:00 +0100] "GET /SOGo//toto/view HTTP/1.1" 302 -
192.168.12.25 - - [23/Feb/2017:18:56:00 +0100] "GET /SOGo/so/toto/Mail HTTP/1.1" 302 -
192.168.12.25 - - [23/Feb/2017:18:56:00 +0100] "GET /SOGo/so/toto/Mail/view HTTP/1.1" 200 19077
for me it is enough to do a custom rules if I need it because I have the IP
does the bad login lines is also the same than mine on your server, and does the external IP is well caught ?
@hucky you are great
Iâm sorry @stephdl ,
I donât have SOGo on NS7.
Gabriel
PS:
@stephdl: but I have SOGo on NS 6.8.
The error for the invalid credentials is because the user is âuser@mydomain.tldâ, not âuserâ. Please see the attached picture.
The IP, 10.0.0.1, is good.
Gabriel
can you try to to use sogo on ns6.8 from ourtside and see if the IP is good in sogo log ?
10.0.0.1 is the IP of the server or the client you used ?
First time I was logged through VPN to LAN (10.0.0.1 is from DMZ).
Now, from âoutsideâ. 188.26.134.112 is my âresidential IPâ.
Therefore the problem is against NS7, fun
I can try to install SOGo (but which version?) on NS7 and test both situation.
I hope will not fight with WebTop 5!
nethserver-sogo from nethforge