Can I use fail2ban behind router for mail server?

Question

I'm running Docker on NAS in a home network behind a FritzBox router. Mail and web server are dockerized, external ports 22, 80, 443 are forwarded to the respektive ports on the NAS, Traefik serves as reverse proxy.

While traefik works fine thanks for X-Forwarded headers and HTTP 1.1 Host headers, I'm unable to setup fail2ban to block excessive login attempts of rogue clients. Thanks to NAT on the router, the mail container always seems the router's IP as source.

Server logs look like this:

dovecot: auth: passwd-file(luv5@xn--...,172.19.0.1): unknown user (SHA1 of given password: 63f39e)
postfix/smtpd[1118]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1118]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/smtpd[1028]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: Connection lost to authentication server
postfix/smtpd[1028]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/smtpd[1066]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: Connection lost to authentication server
postfix/smtpd[1066]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
dovecot: auth: passwd-file(mathew@xn--...,172.19.0.1): unknown user (SHA1 of given password: 011c94)
postfix/smtpd[2295]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[2295]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36922 to [172.19.0.11]:25
postfix/postscreen[1020]: PASS OLD [172.19.0.1]:36922
postfix/smtpd[1118]: connect from unknown[172.19.0.1]
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36948 to [172.19.0.11]:25
dovecot: auth: passwd-file(psycho@xn--...,172.19.0.1): unknown user (SHA1 of given password: 7c4a8d)
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36950 to [172.19.0.11]:25
postfix/smtpd[1118]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1118]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36958 to [172.19.0.11]:25
postfix/postscreen[1020]: PASS OLD [172.19.0.1]:36948
postfix/smtpd[2295]: connect from unknown[172.19.0.1]
postfix/postscreen[1020]: PASS OLD [172.19.0.1]:36950
postfix/smtpd[1066]: connect from unknown[172.19.0.1]

Is there anything that can be done to get fail2ban to block based on IP address for SMTP behind NAT (except for using an "exposed host")?

score 0 · Accepted Answer · answered Nov 18 '19 at 20:43

Thanks to NAT on the router, the mail container always seems the router's IP as source.

If you're able at all to capture from log/journal an originated IP (or something else identifying the intruder) in the filter, you could:

write own failregex or filter capturing forwarded IP, session or username (something you can use as ID to identify intruder), then ...
either try to implement a solution described in our wiki - How to ban something other as host (IP address), like user or mail, etc.
or write some actions like https://github.com/fail2ban/fail2ban/blob/0.10/config/action.d/nginx-block-map.conf (banning intruder resp. rejecting its connection on web-server or mail-service side)
or write your own action to notify your proxying service, in order to ban the originated IP on the other side (no idea traefik has something like that, but there is still open RFE about that - https://github.com/containous/traefik/issues/4026).

Also note similar question - How to implement fail2ban with Traefik

Great answer, but seems- with the logs available- that I'm out of luck :/ — andig, Nov 20 '19 at 09:31

Can I use fail2ban behind router for mail server?

1 Answers1