View Issue Details

IDProjectCategoryView StatusLast Update
0002229SOGoBackend Generalpublic2013-02-07 13:02
ReporterArnd Assigned Tojraby 
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.0.4b 
Fixed in Version2.0.5 
Summary0002229: X-Forwarded-For in sogo.log of fail2ban
Description

In a proxy setup the sogo.log does not show the ip of the acutal client.
This has been discussed in the maillist (http://comments.gmane.org/gmane.comp.groupware.sogo.user/891) in 2010, however it has not been implemented so far.

Printing the X-Forwarded-For into the logile would help to secure sogo via fail2ban (http://www.fail2ban.org)

To secure the account via LDAP password retries is no good solution, because DOS is possible.

I would be able and willing to implement and post fail2ban configuration, after the implementation of this feature request.

TagsNo tags attached.

Activities

jraby

jraby

2013-02-05 14:13

viewer   ~0005340

Fixed with this commit: https://github.com/inverse-inc/sope/commit/b45dbb52984cc5dd62c5a5e589f164dbbc26309f

This will be part of the next nightly build, can you test it and confirm that it works as expected?

If you prepare a fail2ban config, consider posting it (mailling list or here), we could include it in the distribution.

Thanks.

2013-02-06 02:55

 

sogo_mod.log (1,151 bytes)
Arnd

Arnd

2013-02-06 02:56

reporter   ~0005352

Last edited: 2013-02-06 03:01

Hi jraby,
thanks for the quick response!
I'm not quite shure when nightly's are done, however from the github code, the logile will now show the ip instead of "localhost" (attached file).

This would do for my purpose, however I would need to write a script to put together the multiline-output to a single-lined-file, as fail2ban does single-line regexp, only. This could be achieved putting the IP into the error line of the password policy:
"Login for user 'scriptKiddy' might not have worked"
=> "Feb 06 08:22:39 sogod [...] Login for user 'scriptKiddy' from '1.2.3.4' might not have worked [...]"

Than, the regexp for fail2ban is quite ovious:
fail2ban-regex /var/log/sogo/sogo.log "Login for user '.*' from '<HOST>' might not have worked"

fail2ban does:
...
Addresses found:
[1]
1.2.3.4 (Wed Feb 06 08:22:39 2013)
...

so: can you please add a "from '<HOST>'" to the logfile - should be sogod?

ps.: when it works, i'll be happy to provid full fail2ban config for the distro.
pps: the update for libsbjson2.3_4.9.r1664.20130206 works as expected, brillant!

jraby

jraby

2013-02-06 09:35

viewer   ~0005354

Better now?

https://github.com/inverse-inc/sogo/commit/f8387b90ffd3f016f4a4de88577b1280a84aefc8

<pre>
Feb 06 09:21:47 sogod [1906]: <0x0x555555dfc760[LDAPSource]> <NSException: 0x5555560b4b90> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{login = "uid=sogo2,ou=people,dc=example,dc=com"; }
Feb 06 09:21:47 sogod [1906]: SOGoRootPage Login from '192.168.1.31' for user 'sogo2' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
192.168.1.31 - - [06/Feb/2013:09:21:47 GMT] "POST /SOGo/connect HTTP/1.1" 403 34/37 0.006 - - 0

Feb 06 09:22:14 sogod [1906]: SOGoRootPage successful login from '192.168.1.31' for user 'sogo2' - expire = -1 grace = -1
192.168.1.31 - - [06/Feb/2013:09:22:14 GMT] "POST /SOGo/connect HTTP/1.1" 200 27/37 0.059 - - 4K
</pre>

As per the commit message, keep in mind that the x-forwarded-for header may contain more than one ip separated by a coma if the request went through more than one proxy.
eg: X-Forwarded-For: client, proxy1, proxy2

Arnd

Arnd

2013-02-06 10:15

reporter   ~0005358

Now thats awesome, thank you!
i'll prepare jail2ban configruation/filters till tomorow for the nightly and tets them. If all's fine, i'll attach configurations to this bug and tickend can be closed - and i'll mail to users@sogo.nu

I will then hopefully be able to support comma separated ips for multi-hops, or at least to use the first one (orignial client), only.

Arnd

Arnd

2013-02-07 06:07

reporter   ~0005369

Hi jraby,
worked like a charm, so the fail2ban configuration is:

  1. Add jail to /etc/fail2ban/jail.local

    [SOGo]
    enabled = true
    port = http,https

    in proxy-free setup this would be:

    port = 20000

    filter = sogo
    logpath = /var/log/sogo/sogo.log
    maxretry = 5
    <<<

  2. add filter: /etc/fail2ban/filter.d/sogo.conf

    /etc/fail2ban/filter.d/sogo.conf

    #

    Fail2Ban configuration file

    By Arnd Brandes

    SOGo

    #

    [Definition]

    Option: failregex

    Filter Ban in /var/log/sogo/sogo.log

    Note: the error log may contain multiple hosts, whereas the first one

    is the client and all others are poxys. We match the first one, only

    failregex = Login from '<HOST>.' for user '.' might not have worked

    Option: ignoreregex

    Notes.: regex to ignore. If this regex matches, the line is ignored.

    Values: TEXT

    #
    ignoreregex =

<<<

Thank you very much, I think this feature request is compleated now!

Greez
Arnd

Issue History

Date Modified Username Field Change
2013-02-05 10:07 Arnd New Issue
2013-02-05 14:07 jraby Status new => assigned
2013-02-05 14:07 jraby Assigned To => jraby
2013-02-05 14:13 jraby Note Added: 0005340
2013-02-05 14:13 jraby Status assigned => feedback
2013-02-06 02:55 Arnd File Added: sogo_mod.log
2013-02-06 02:56 Arnd Note Added: 0005352
2013-02-06 02:57 Arnd Note Edited: 0005352
2013-02-06 03:01 Arnd Note Edited: 0005352
2013-02-06 09:35 jraby Note Added: 0005354
2013-02-06 10:15 Arnd Note Added: 0005358
2013-02-07 06:07 Arnd Note Added: 0005369
2013-02-07 13:02 jraby Status feedback => resolved
2013-02-07 13:02 jraby Resolution open => fixed
2013-02-07 13:02 jraby Fixed in Version => 2.0.5