How to Harden Kopano against attacks with Fail2ban
This howto describes how to install and configure Fail2ban for Kopano Groupware on Ubuntu 16.04.4 LTS. Fail2ban provides effective protection against brute-force attacks by filtering out failed attempts of authentication from Syslog and Apache protocol in order to block the host for a certain period of time using a kernel firewall.
Install Fail2ban on Kopano Server
The Fail2ban package will be installed on the Ubuntu host as root as follows. Fail2ban is developed on Python, which is why the required libraries are reloaded.
apt-get update
apt-get install fail2ban -y
After installation, Fail2ban runs and is enabled in systemd for autostart.
systemctl start fail2ban
systemctl enable fail2ban
Provide a Fail2ban filter for Kopano, we create the file kopano-webapp-auth.conf
vi /etc/fail2ban/filter.d/kopano-webapp-auth.conf
Insert the content into the filter file with the following lines:
# Fail2Ban kopano-webbapp-auth filter
# /etc/fail2ban/filter.d/kopano-webapp-auth.conf
[INCLUDES]
before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s Kopano WebApp user:.* authentication failure at MAPI
ignoreregex =
Activate the Fail2ban filter for Kopano by creating the configuration file jail.local.
vi /etc/fail2ban/jail.local
And insert the following content:
[sshd]
port = ssh
logpath = %(sshd_log)s
[kopano-webapp]
enabled = true
port = https
filter = kopano-webapp-auth
logpath = %(apache_error_log)s
[apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)s
Here error.log is read out with the variable %(apache_error_log), /var/log/apache2/error.log
Restart Fail2ban to enable the changes.
systemctl restart fail2ban
The status of Fail2ban can be checked as follows.
root@kopano:~# fail2ban-client status
Status
|- Number of jail: 3
'- Jail list: apache-auth, kopano-webapp, sshd
root@kopano:~# fail2ban-client status kopano-webapp
Status for the jail: kopano-webapp
| Filters
| |- Currently failed: 0
| |- Total failed: 7
| '- File list: /var/log/apache2/mattermost-error.log /var/log/apache2/error.log
'- Actions
|- Currently banned: 4
|- Total banned: 52
'- Banned IP list: 10.10.10.101 172.17.88.91 172.31.16.3 10.32.57.98
The firewall provides information about the status of the hosts currently blocked by Fail2ban, with an iptables query:
iptables -vnL | egrep "f2b-kopano-webapp|apache-auth|sshd"