Fail2ban details

readyfireaim

Hello,

I am getting the Fail2ban notifications via watchdog just fine, but I can’t tell what service is being attacked. The whois information is great, but how do I get information on which service is being used? I assume they are after postfix and I would like to block larger subnets from Russia and Chine for instance, but I would like to limit them to port 25 or 993 for instance.

Thank you!

D4niel

The service isn’t mentioned in the mail, no. If I wanna know I usually just check the IP address in the logs on the admin interface. It’s usually 95% postfix and 5% mailcow UI.

But most of the time I don’t have a reason to check, because mailcow just does its thing. If I get a lot of reports of the same IP or subnet I blacklist it in the settings.

readyfireaim

Thanks Ares,

That’s still pretty cumbersome unfortunately. I’m somewhat familiar with fail2ban. What I’m looking for should be just the variables passed to the action line like:

sendmail-whois[name=sasl, dest=you@example.com]

I assume that’s just a GitHub request for Fail2ban configuration to be added to the <mailcow_root>/data/conf/ directory? Mucking around inside the docker container doesn’t sound like a good idea given the distribution.

Is there a way to move SOGo to it’s own IP or port? Looking through the logs I’m getting a LOT of mailcow UI attempts. I would love to lock that down some more at least. I see I can get to the Nginx config, but I would rather shut that all down on the firewall and eschew a proxy.