paxton
/
mailcow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Auth rate limiting: Mailcow UI and correct treatment of v4-mapped addresses

master
Michael Kuron 2017-05-25 13:57:50 +02:00
parent 88f94a2e15
commit 1906c26e5d
3 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
data/Dockerfiles/fail2ban/logwatch.py
View File

@ -13,6 +13,7 @@ RULES = {
'mailcowdockerized_postfix-mailcow_1': 'warning: .*\[([0-9a-f\.:]+)\]: SASL .* authentication failed', 'mailcowdockerized_postfix-mailcow_1': 'warning: .*\[([0-9a-f\.:]+)\]: SASL .* authentication failed',
'mailcowdockerized_dovecot-mailcow_1': '-login: Disconnected \(auth failed, .*\): user=.*, method=.*, rip=([0-9a-f\.:]+),', 'mailcowdockerized_dovecot-mailcow_1': '-login: Disconnected \(auth failed, .*\): user=.*, method=.*, rip=([0-9a-f\.:]+),',
'mailcowdockerized_sogo-mailcow_1': 'SOGo.* Login from \'([0-9a-f\.:]+)\' for user .* might not have worked', 'mailcowdockerized_sogo-mailcow_1': 'SOGo.* Login from \'([0-9a-f\.:]+)\' for user .* might not have worked',
'mailcowdockerized_php-fpm-mailcow_1': 'Mailcow UI: Invalid password for .* by ([0-9a-f\.:]+)',
} }
BAN_TIME = 1800 BAN_TIME = 1800
MAX_ATTEMPTS = 10 MAX_ATTEMPTS = 10
@ -22,6 +23,9 @@ quit_now = False
def ban(address): def ban(address):
ip = ipaddress.ip_address(address.decode('ascii')) ip = ipaddress.ip_address(address.decode('ascii'))
if type(ip) is ipaddress.IPv6Address and ip.ipv4_mapped:
ip = ip.ipv4_mapped
address = str(ip)
if ip.is_private or ip.is_loopback: if ip.is_private or ip.is_loopback:
return return

1
data/Dockerfiles/php-fpm/Dockerfile
View File

@ -8,6 +8,7 @@ RUN docker-php-ext-install intl pdo pdo_mysql xmlrpc
RUN docker-php-ext-enable redis RUN docker-php-ext-enable redis
RUN pear install channel://pear.php.net/Net_IDNA2-0.1.1 Auth_SASL Net_IMAP NET_SMTP Net_IDNA2 Mail_mime RUN pear install channel://pear.php.net/Net_IDNA2-0.1.1 Auth_SASL Net_IMAP NET_SMTP Net_IDNA2 Mail_mime
RUN apk del autoconf g++ make libxml2-dev icu-dev RUN apk del autoconf g++ make libxml2-dev icu-dev
RUN echo 'php_admin_flag[log_errors] = on' >> /usr/local/etc/php-fpm.d/www.conf
COPY ./docker-entrypoint.sh / COPY ./docker-entrypoint.sh /

5
data/web/inc/functions.inc.php
View File

@ -169,6 +169,11 @@ function check_login($user, $pass) {
} }
elseif (!isset($_SESSION['mailcow_cc_username'])) { elseif (!isset($_SESSION['mailcow_cc_username'])) {
$_SESSION['ldelay'] = $_SESSION['ldelay']+0.5; $_SESSION['ldelay'] = $_SESSION['ldelay']+0.5;
$err = error_reporting(E_ALL);
ini_set('display_errors', 'off');
trigger_error("Mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR'], E_USER_WARNING);
ini_set('display_errors', 'on');
error_reporting($err);
} }
sleep($_SESSION['ldelay']); sleep($_SESSION['ldelay']);
} }