Re: [SOGo] SOGo + fail2ban

[Ben]

Can you post your apache config and a sample http request from a 
client going to sogo on 127.0.0.1:20000 ?
I'm using nginx, not apache, but the config is:
 location /SOGo {
                if ($scheme = 'http') {
                      #Insecure, lets go to https
                      rewrite ^/(.*)$ https://mail.vescent.com/$1 redirect;
                 }

                proxy_pass http://127.0.0.1:20000;
                proxy_set_header                X-Real-IP $remote_addr;
                proxy_set_header                X-Forwarded-For 
$proxy_add_x_forwarded_for;
                proxy_set_header Host                            $host;
                proxy_set_header x-webobjects-server-protocol    HTTP/1.0;
                proxy_set_header x-webobjects-remote-host        127.0.0.1;
                proxy_set_header x-webobjects-server-name        
$server_name;
                proxy_set_header x-webobjects-server-url $scheme://$host;
                proxy_connect_timeout           90;
                proxy_send_timeout              90;
                proxy_read_timeout              90;
                proxy_buffer_size               4k;
                proxy_buffers                   4 32k;
                proxy_busy_buffers_size         64k;
                proxy_temp_file_write_size      64k;
                client_max_body_size            50m;
                client_body_buffer_size         128k;
        }

     location /SOGo.woa/WebServerResources/ {
                alias   /usr/lib/GNUstep/SOGo/WebServerResources/;
        }
        location /SOGo/WebServerResources/ {
                alias   /usr/lib/GNUstep/SOGo/WebServerResources/;
        }
        location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {
                alias   /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
        }


You can use tcpflow -c -i lo port 20000 for that.
(take care to remove the cookie before posting this)

Here's the traffic on port 20000 when I attempt  a (bad) login from SOGo 
webmail from a computer with IP: 192.168.0.100:

server:/tmp# tcpflow -c -i lo port 20000
tcpflow[30936]: listening on lo
127.000.000.001.50791-127.000.000.001.20000: POST /SOGo/connect HTTP/1.0
X-Real-IP: 192.168.0.100
X-Forwarded-For: 192.168.0.100
Host: server.com
x-webobjects-server-protocol: HTTP/1.0
x-webobjects-remote-host: 127.0.0.1
x-webobjects-server-name: server.com
x-webobjects-server-url: https://server.com
Connection: close
Content-Length: 27
Origin: https://server.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Referer: https://server.com/SOGo/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: REMOVED
userName=asdf&password=asdf
127.000.000.001.20000-127.000.000.001.50791: HTTP/1.1 403 Forbidden

127.000.000.001.20000-127.000.000.001.50791: content-length: 34
content-type: application/json

127.000.000.001.20000-127.000.000.001.50791: set-cookie:
127.000.000.001.20000-127.000.000.001.50791: SOGoLogin=; expires=Wed, 
21-Aug-2013 15:36:00 GMT; path=/SOGo/
127.000.000.001.20000-127.000.000.001.50791:

127.000.000.001.20000-127.000.000.001.50791: {"LDAPPasswordPolicyError": 
65535}


It seems SOGo has the ip address via either X-Real-IP or 
X-Forwarded-For.  But again, the sogo log for that attempt is:

Aug 22 09:36:00 sogod [13156]: SOGoRootPage Login from '127.0.0.1' for 
user 'asdf' might not have worked - password policy: 65535 grace: -1  
expire: -1  bound: 0


Thanks

Ben
--
users@sogo.nu
https://inverse.ca/sogo/lists