Issues with fail2Ban

RandyMartin

I have mailcow running behind a traefik reverse proxy, but the fail2ban mechanisme does not seem to work.
It sees the real wan IP when an incorrect loging occured, it puts in on the denylist but then i am still able to access the webpage.

esackbauer

That is by design. Mailcow is designed to work without reverse proxy.
The fail2ban iptable rules apply to the IP stack, but web requests are always coming from your Traefik IP address.
You would need to apply the fail2ban list to your reverse proxy, too

RandyMartin

It is weird, because it is able to see the wan ip from where the connection is coming from.

esackbauer

Thats not weird, if you understand the OSI layer model.
mailcow enforces the blocking on layer 3, and Traefik works on layer 5.

RandyMartin

Aah i get it now, thank you 🙂

ETNyx

Weird i always thought it can work in two modes, on L4 routing based on IP (TCP/UDP routing) and on L7 routing based on application (HTTPS, SMTP, IMAP,…). Either way, just technical detail,… you most likely setup MC to always trust your proxy IP so on L3 no block as @esackbauer wrote,..

esackbauer

ETNyx
The prolem is that the connection is always terminated at the reverse proxy, and all requests are then always coming from the reverse proxy (with its static IP) to mailcow. Even if you do not trust the reverse proxy address, on L3 (which mailcow uses to enforce the block) you can only block your reverse proxy, which would not make sense, and blocking any other public IP addresses on mailcow would only make sense for IMAP/SMTP protocols which are not using reverse proxy. Typically those ports are using NAT which is a layer 3 function, so blocking would work.

ETNyx

Sure no discussion/problem there 👍️

RandyMartin

I can indeed confirm that fail2ban does work with imap/smtp since these dont use the reverse proxy but are being send directly to the mailcow server. I will check if i can get fail2ban up and running on my traefik proxy, for the added security of the webgui.

ETNyx

Are you running some kind of WAF there? Or what is the added security?

RandyMartin

Yeah traefik had WAF crowdsec functionality added to it. I can disable this, but the issues stays the same.

ETNyx

No need, just people usually add proxy before MC http(s) without reason, having WAF in front is at least some reason,…

If you make your MC totally isolated and push all traffic thought proxy, than you can in MC admin on Netfilter (Fail2ban) configuration page click “Manage fail2ban externally” This will disable MC fail2ban and expose API endpoint that you can read from your gateway (proxy) and start blocking IP there. So this way you can block all what MC mark as to be banned even before routing through proxy,…

ETNyx

ETNyx This will disable MC fail2ban

clarification, it will disable enforcing iptables rules in MC, but evaluation if someone should be block will continue and ban list will be updated.

RandyMartin

that would be nice indeed, i will look into that thanks 😉
I also have geoIP blocking combined with the WAF. So only I am able to connect to it from my country.

Another step to lock down access.