Sogo doesn't display the right incoming IP in its logs

good morning,
i have tested the fail2ban today for knowing if it works. it was a bit weird. i open the website from outside of my network to log on to sogo. i try to log in with wrong password for do the check. after 3 times i got an email that the ip adress xxx.xxx.xxx.xx is banned. the weird thing is, that the ip adress was my own extern adress. can someone confirm this?

1 Like

Hi @hucky ,

This means that F2B works correctly.
If you don’t want as your IP (or other(s)) to be banned, put it in the white list.

nope, it is not. normal the ip who is try to log on should be banned, but not the external adress of my server, right?

But you said that you have tried to login from outside your network (LAN).
This means that you reach the server from WAN (external IP).

Can you find your IP in the sogo log ?

Use grep

grep -srni ‘xxxxxxxx’ /var/log/sogo*

Post the relevant part

sure, otherwise it has no sense. if someone try to log on at for example the sogo webgui and try to log on, it has to ban the ip adress of the system who try to log on, not my external ip adress, right? cause if fail2ban only ban my external ip adress the attack goes further because the ip adress from the system who try to log in is not banned.

Sorry!
You are right!
My mistake!
Should be banned the IP from where you try to login, not your server IP!

i dont find the ip in the sogo.log at sogo log it shows:

Feb 23 08:40:46 sogod [2973]: SOGoRootPage Login from ‘xxx.xxx.xxx.’ for user ‘Hgjg’ might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Feb 23 08:40:46 sogod [2973]: xxx.xxx.xxx.xxx “POST /SOGo/connect HTTP/1.1” 403 34/57 0.070 - - 0
Feb 23 08:40:47 sogod [2973]: <0x0x7f927e99baf0[LDAPSource]> <NSException: 0x7f927fea4a00> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{“error_code” = 49; login = “samaccountname=Hgjg,dc=xxx.xxx.,dc=lan”; }
2017-02-23 08:40:47.753 sogod[2973:2973] ERROR(-[NGLdapSearchResultEnumerator nextObject]): does not support result references yet 

Feb 23 08:40:47 sogod [2973]: SOGoRootPage Login from ‘xxx.xxx.xxx.xxx’ for user ‘Hgjg’ might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Feb

Login from ‘xxx.xxx.xxx.xxx’ for user ‘Hgjg’ might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0

sorry, in that part it shows my extern webadress like:

Login from ‘test.sogo.de’ for user ‘Hgjg’ might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0

I think your password has expired by one day.

nope, that user does not exist and the password was only a silly testpassword. i think that sogo use the external domain adress in the log, if it is that way, fail2ban can not ban correct.

Would you mind ti send me the full logo log by email, i would to look something.

Probably the gateway of ns gives back wrong information to sogo

Can you try on the lan (uncheck the lan exeption in the fail2ban pane)

@hucky @GG_jr @all I need your help here.

Well
 simply we do a reverse proxy to have a nice URL/SOGo, instead of URL:20000 and sogo keeps the incoming IP/domain name. I should/could do some fights with mod_remoteip or find a workaround like I did sometime

do in a terminal

tailf /var/log/httpd/ssl_access_log

and take a look if the external IP is well caught .

for a bad login I have

192.168.12.25 - - [23/Feb/2017:18:51:11 +0100] "POST /SOGo/connect HTTP/1.1" 403 34

for a good login I have

192.168.12.25 - - [23/Feb/2017:18:55:58 +0100] "POST /SOGo/connect HTTP/1.1" 200 41
192.168.12.25 - - [23/Feb/2017:18:56:00 +0100] "GET /SOGo//toto HTTP/1.1" 302 -
192.168.12.25 - - [23/Feb/2017:18:56:00 +0100] "GET /SOGo//toto/view HTTP/1.1" 302 -
192.168.12.25 - - [23/Feb/2017:18:56:00 +0100] "GET /SOGo/so/toto/Mail HTTP/1.1" 302 -
192.168.12.25 - - [23/Feb/2017:18:56:00 +0100] "GET /SOGo/so/toto/Mail/view HTTP/1.1" 200 19077

for me it is enough to do a custom rules if I need it because I have the IP

does the bad login lines is also the same than mine on your server, and does the external IP is well caught ?

@hucky you are great :slight_smile:

1 Like

I’m sorry @stephdl ,

I don’t have SOGo on NS7.

Gabriel

PS:

@stephdl: but I have SOGo on NS 6.8.

The error for the invalid credentials is because the user is “user@mydomain.tld”, not “user”. Please see the attached picture.

The IP, 10.0.0.1, is good.

Gabriel

1 Like

can you try to to use sogo on ns6.8 from ourtside and see if the IP is good in sogo log ?

10.0.0.1 is the IP of the server or the client you used ?

First time I was logged through VPN to LAN (10.0.0.1 is from DMZ).
Now, from “outside”. 188.26.134.112 is my “residential IP”.

Therefore the problem is against NS7, fun :stuck_out_tongue:

I can try to install SOGo (but which version?) on NS7 and test both situation.
I hope will not fight with WebTop 5!

nethserver-sogo from nethforge

1 Like