Sogo doesn't display the right incoming IP in its logs

GG_jr · February 23, 2017, 7:44pm

OK!
Give me half an hour, please.

stephdl · February 23, 2017, 7:47pm

the night if you need

I’m at my linux user group, it is my social day

GG_jr · February 23, 2017, 8:24pm

Not needed!

So:

→ The IP (10.0.0.33) of the email server, from DMZ. Connected to SOGo Web GUI through VPN.

2.a. → FQDN of the email server. Connected to SOGo Web GUI from WAN.

2.b. → The IP of the email server. Connected to SOGo Web GUI from WAN.

The conclusion:

On NS 6.8 final with SOGo 2.3.10, the IPs in log were the IPs of the client.

On NS 7.3 final with SOGo 3.2.7, the IPs in log were the IPs of the server.

hucky · February 24, 2017, 7:42am

with the tailf /var/log/httpd/ssl_access_log i can confirm that the right ip´s are displayed. so how we can make it that sogo do it in the same way?

stephdl · February 25, 2017, 7:46am

hi @hucky, I was looking for your answer, We have something strange with the couple sogo and NS7. I don’t know yet if the guilty is sogo or something tricked in the firewall/gateway.

Can you try to ban you from the external of your LAN with the ssh jail and take a look to /var/log/messages to see if the right IP is written in log.

As a workaround we can use the ssl_access_log to create a custom sogo jail if needed.

hucky · February 25, 2017, 7:50am

i play today a bit with mod_remoteip but still not work. also i am not sure about the general System which ip´s will be displayed in the logs of ns7 cause also in other logs it displays not the remote ip adress, from my point of view now.

From external it is not possible for me cause i only have access from the intern to ssh.

stephdl · February 25, 2017, 8:02am

open it just for a test purpose

we have the same behaviour with the sogo nightly built, therefore our community build is not in cause.

hucky · February 25, 2017, 8:05am

The IP 84.46.37.244 has just been banned by Fail2Ban after
3 attempts against sshd.
yep, worked

stephdl · February 25, 2017, 8:20am

with fail2ban, you can open your port to external for ssh. If you are paranoid, then forbid the root access, change the port, and the attacker will try the next server.

stephdl · February 25, 2017, 8:21am

therefore the problem is sogo related …

hucky · February 25, 2017, 8:22am

^^ have a different port etc.

stephdl · February 25, 2017, 8:42am

@giacomo @davidep I tested different things with sogo

ns6 and sogo2 (nethforge) -> good incoming IP in /var/log/sogo/sogo.log
ns6 and sogo3 (nightly) -> good incoming IP in /var/log/sogo/sogo.log

ns7 and sogo2 -> bad incoming IP in /var/log/sogo/sogo.log
ns7 and sogo3 -> bad incoming IP in /var/log/sogo/sogo.log

ns7 and sogo2 (nightly) -> bad incoming IP in /var/log/sogo/sogo.log
ns7 and sogo3 (nightly) -> bad incoming IP in /var/log/sogo/sogo.log

I guess something NS7 specific in apache with the reverse proxy, or maybe in the shorewall/gateway side (but the fail2ban ssh jail is good so it should not come).

If you have some clues, I will be interested

davidep · February 25, 2017, 8:45am

I think you’re on the right track!

stephdl · February 25, 2017, 8:52am

got it @hucky can you test

in /etc/httpd/conf.d/SOGo.conf

line 41
- RequestHeader set “x-webobjects-remote-host” %{REQUEST_HOST}e
+ # RequestHeader set “x-webobjects-remote-host” %{REQUEST_HOST}e

then

systemctl restart httpd

hucky · February 25, 2017, 9:00am

yep, it worked
The IP 84.46.37.244 has just been banned by Fail2Ban after
3 attempts against sogo-auth.

stephdl · February 25, 2017, 9:11am

I have a better fix, it is coming by a rpm

stephdl · February 25, 2017, 9:15am

@huky @GG_jr

yum install nethserver-sogo --enablerepo=nethforge-testing

if it is good we will release it

hucky · February 25, 2017, 9:20am

i guess there is something wrong, got a lot of # not a status that is has updated

hucky · February 25, 2017, 9:21am

okay, now i got updated

hucky · February 25, 2017, 9:27am

okay, anything seems to work right now, great Job Stephdl !!!