Mailcow not banning login attempts at all (serious security risk)

zeronemo

Hi,

Could someone help me understand why my new mailcow installation isn’t banning email login attempts? It seems like the system isn’t banning anything at all, even after multiple failed login attempts. I’ve reinstalled it about 5 times now, and the banning part just doesn’t seem to be working. This poses a serious security risk as my server is vulnerable to brute-force attacks.

I’ve already tried several troubleshooting steps, including updating and resetting the regex after each update. I’m unsure if I need to save the changes and restart netfilter or if there’s a different standard procedure. I’ve tried everything I can think of, but nothing seems to resolve the issue.

Does anyone have any ideas on how to troubleshoot this issue? Any guidance on the correct steps to take after updating and resetting the regex would be greatly appreciated.

Thanks.

esackbauer

zeronemo It seems like the system isn’t banning anything at all, even after multiple failed login attempts.

Because those attempts come from different IP addresses. IP addresses get blocked if the same IP address has several unsuccessful login attempts.
You don’t want to lock out your users with blocking their accounts just because someone tries to “brute force”.

zeronemo This poses a serious security risk as my server is vulnerable to brute-force attacks.

No, your server is not in danger, it is your users using weak or hacked passwords and no 2FA.

You could get rid of most of the login attempts by establishing a script which loads 10000 IP addresses from abuseipdb.com
See this thread (unfortunately in german, try to use an online translator):
https://community.mailcow.email/d/4527-massive-bruteforce-attacke-seit-wochen/24

zeronemo

esackbauer There are no other users and there won’t be any.

Unfortunately, these attempts aren’t a recent occurrence. Even when I was using Postfix, Dovecot, SpamAssassin, and spamass-milter locally, I consistently experienced these attempts, primarily from Chinese and Korean IPs, and they persist relentlessly.

[unknown] It might be normal, but why isn’t it showing me the banned IPs in the list? The banned list on the web UI is completely empty. Previously, before the update, it would show and ban hundreds of IPs. Now, after the update, since I can only log in with /admin, it doesn’t show anything.

Specifically, there were times when it displayed the banned IPs on the web interface in blue, but those disappeared after an update.

I don’t understand why mailcow doesn’t have a simple email notification option for banned IPs, like my local fail2ban setup does. Of course, I can go into the Docker containers and check the logs, and maybe it’s still banning them, but that’s not how I want to monitor it. I want to see when someone tries to log in and brute-force, and know that my system is banning them for a week after one attempt, as configured.

It’s set to a week because in my previous system, I had it set to a /16 range and one attempt would result in a year-long ban. Unfortunately, this made the log file very large, and it might have caused some freezing or slowdown due to nftables or something similar. I’m not entirely sure, but it became very slow. Now, I’ve set it to /32 for a week, so at least the blocks expire after a week.

Ganzjahresgriller

@zeronemo This looks like normal background noise

esackbauer

Face the fact that your server will be probed 7×24. Just keep it updated and use safe passwords.
Problem solved.

Ganzjahresgriller

@zeronemo Perhaps this can help you, but be carfully: friendly-bits/geoip-shell

zeronemo

There are still supposed bans happening, but I don’t see anything displayed on the web UI.

I’ve tried removing the sogo regex twice, as it doesn’t seem to work anyway, hoping that was the issue. When I do this, I save the changes in the regex section and also at the top, and then restart netfilter. Sometimes, after refreshing the fb2 link, it shows a banned IP, but if I navigate away and back, it disappears.

I’m still not seeing any banned IPs in the web UI, even though the logs suggest they’re being banned.

[unknown] Haha, I’ve been using GeoIP for ages, but only for Apache2, to be honest. I’m not sure how good this GeoIP for SSHD is, but it’s probably not bad. Thanks

[unknown] Haha, I’ve been using GeoIP for ages, but only for Apache2, to be honest. I’m not sure how good this GeoIP for SSHD is, but it’s probably not bad.

sorry about 2 post.. cache ..cookies..

DocFraggle

The above screenshot indicates that something’s wrong with your iptables config (see the crit MAILCOW target messages). Do you have another firewall running on your host system? ufw or firewalld? That can lead to problems and you should disable it completl according to the mailcow docs. This also could lead to the problem you currently experience

zeronemo

DocFraggle Iptables reseted… now is ok i hope.

DocFraggle

hmm Now it’s finally banning again and displaying the banned IPs. I don’t understand it, but whatever.

DocFraggle

hmm Now it’s finally banning again and displaying the banned IPs. I don’t understand it, but whatever.

DocFraggle DocFraggle

hmm Now it’s finally banning again and displaying the banned IPs. I don’t understand it, but whatever.

sorry.. its cookies, pasted more times..