rainloop-webmail Rainloop fail2ban

Hey, anybody knows how to get rainloop work on fail2ban ?

Nov 26 '17 21:11 janarzz

/PATH-TO-RAINLOOP-DATA-FOLDER/..../application.ini

[logs]
auth_logging = On
auth_logging_filename = "fail2ban/auth-{date:Y-m-d}.txt"
auth_logging_format = "Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"

/etc/fail2ban/filter.d/rainloop.conf

[Definition]
failregex = : Auth failed: ip=<HOST> user=.* host=.* port=.*$
ignoreregex =

/etc/fail2ban/jail.local

[rainloop]
enabled = true
banaction = iptables-multiport
filter = rainloop
port = http,https
logpath = /PATH-TO-RAINLOOP-DATA-FOLDER/_default_/logs/fail2ban/auth-*.txt
maxretry = 5
findtime = 1500
bantime = 3600

Nov 30 '17 11:11 extremeshok

This solution not worked for me.

Nov 30 '17 13:11 janarzz

When fail2ban starts, I see it mentioning the existing auth-*.txt files. But does fail2ban pick up new files as they are created by date by RainLoop?

Nov 30 '17 15:11 ervee

When i using Roundcube Webmail, then fail2ban works great..

Dec 01 '17 11:12 janarzz

Hey, Is there a solution found for Rainloop fail2ban ?

Dec 21 '17 17:12 janarzz

@RainLoop, would it be possible to patch RainLoop to produce only one logfile instead of one for every date? Let it create an empty logfile when not found (for example check on every successful admin login because RainLoop must be accessed by an admin to setup) so fail2ban can pick it up and "tail" it.

Dec 21 '17 17:12 ervee

@ervee Sorry to "necropost", but there are a couple of still open issues here which I stumbled upon looking for a solution with fail2ban, and they seem to be related to the same problem. The name of the log file can be configured in RainLoop's ../data/..../application.ini file, as shown here. So you could simply set it to a constant file name like so:

[logs]
auth_logging = On
auth_logging_filename = "fail2ban/auth-fail.log"
auth_logging_format = "Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"

Also see here and here: In your fail2ban jail config, you need to set a findtime high enough so that the gap between UTC (expected by fail2ban) and local time (logged by RainLoop) is covered, probably plus some margin. 1500 won't do, unless you happen to live in the right place in the right (summer or winter, that is) time.

Oct 22 '18 13:10 drpetersen

I'd be interested in getting this working, has anyone else made any progress? It'd be great to see this show up officially in the fail2ban packaging configuration files.

Nov 25 '18 16:11 sadsfae

Posting here to keep an eye on this.

Dec 01 '18 15:12 txtsd

extremeshok's configuration posted above worked for me.

Jan 03 '19 04:01 revnil

i have a litte different.. my rainloop web mail are behind haproxy.. haproxy is sending x-forwared-for fine.... in apache logs i see the real client ip.... but in rainloop auth logs enable i see the haproxy ip.. i need the workaround to see the real client ip helpme please...

Mar 17 '19 01:03 enriluis

Hey there,

It would probably be better, purchase a standard license or E-Mail rainloop directly?

Mar 17 '19 02:03 bugz8unny69

I know this is old but I did a few tweaks and made this work right.

/...path to rainloop.../rainloop/data/data/default/configs/application.ini

auth_logging = On
auth_logging_filename = "fail2ban/auth-fail.txt"
auth_logging_format = "[{date:Y-m-d H:i:s T}] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"

The T in the time formatting inserts the timezone which fail2ban uses to correct for the time difference recorded. The fail2ban log will still record GMT but if you look in /var/log/fail2ban.log, it will now convert it and record the correct time.

/etc/fail2ban/filter.d/rainloop.conf

[Definition]
failregex = Auth failed: ip=<HOST> user=.* host=.* port=.*$
ignoreregex =

/etc/fail2ban/jail.local

[rainloop]
enabled = true
port = http,https
logpath = /var/www/rainloop/data/_data_/_default_/logs/fail2ban/auth-fail.txt

I omitted the other properties above as I wanted it to use my defaults.

May 17 '19 15:05 mnotgninnep

i Found solution here: https://terminal.ovh/2020/08/fail2ban-does-not-pick-up-new-logfiles-created-every-day/

Aug 12 '20 11:08 redSTORM000

note that this will not work well if rainloop is behind a reverse proxy due to https://github.com/RainLoop/rainloop-webmail/issues/1849

Dec 10 '20 18:12 khimaros

I am having the same problem. fail2ban-regex finds a match in the log, but fail2ban does not. Found a solution here https://blogvomjens.wordpress.com/2016/06/03/fail2ban-und-rainloop/comment-page-1 In application.ini you need to set your timezone to time_offset =

Sep 18 '21 03:09 ion-lane

this workaround should also work for the reverse proxy case mentioned above: https://github.com/RainLoop/rainloop-webmail/issues/1849#issuecomment-742718083

Sep 18 '21 03:09 khimaros

I am wondering if someone could straighten me out? I know this thread is old, and I apologize for beating this horse.

I am running into a case where my filtered <HOST> match is grabbing the host={imap:host} instead of the ip={request:ip}. I have tried so many regex variants and even dropping everything after it first hits the ip={request:ip} match. But it still manages to read in the host={imap:host}.

Is this fixable? Just to clarify the issue... for me, the host={imap:host} in the log is my mailserver hosting rainloop. So it will always be the same IP (and my f2b is set to ignoreself = true).

Thank you for any insight!

Feb 08 '22 16:02 phatlix

Hi! @phatlix Could you please show me your f2b and rainloop logs, when you try to log in with wrong password form different device? I will try to help you.

Feb 19 '22 21:02 frogmaker