Hi, are you identifying failed attemts by the http error code (403,401)? However, where you put the <HOST> placeholder, I had localhost only - until the last changes. This came due to the proxy setup with apache. Without proxy, the client IP was listed - so there your script works. About the port, from my understanding this is the port whitch wil be blocked - an for me SOGo has 443 (https), only with CalDav/CardDav running over them. Fail2Ban can as well just block all ports: iptables-allports Thanks for the hint, Arnd
Am Freitag, 08. Februar 2013 18:31 CET, Thoralf Schulze <[email protected]> schrieb: > hi there, > > Am 07.02.2013 14:54 schrieb Arnd Raphael Brandes: > > thank to jraby, the sogo.log can now be used for fail2ban, even in the > > proxy setup. This has been implemented in the feature request > > 2229(http://www.sogo.nu/bugs/view.php?id=2229). Fail2ban allows to ban IPs > > of users who persistently (in the example 5 times) fail to login in a > > certain time. The ban can be temporary or permanent and an admin can be > > configured to be informed by mail. > > The ban is done via IP tables. Setup-time ~ 10 min. > > for the current stable version (2.0.4b-1), this sogo.conf might work as > well: > > [Definition] > failregex = ^<HOST> - - \[.+\] "POST /SOGo/connect HTTP/1.[01]" 403.*$ > ^<HOST> - - \[.+\] "PROPFIND /SOGo/dav.+ HTTP/1.[01]" 401 *$ > ignoreregex = ^<HOST> - - \[.+\] "PROPFIND /SOGo/dav.+ HTTP/1.[01]" 401 0.*$ > > … well, it does seem to do its job here, at least :-) > i also changed port = http,https in the jail definition to port = all to > make sure to also catch *dav-related log entries. > > with kind regards, > t. > -- > [email protected] > https://inverse.ca/sogo/lists -- [email protected] https://inverse.ca/sogo/lists
