OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • Hardening a IMAP server behind HAPROXY // fail2ban
« previous next »
  • Print
Pages: [1]

Author Topic: Hardening a IMAP server behind HAPROXY // fail2ban  (Read 870 times)

fritz

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Hardening a IMAP server behind HAPROXY // fail2ban
« on: September 04, 2024, 01:43:11 am »
Hello, I'm new to opnsense, maybe someone is able to help with this:

I'm hosting a IMAP Server in a VLAN, reverse proxied by opnsense haproxy plugin. SSL is offloaded by haproxy, the proxying takes place in TCP mode (layer4), public service is configured to listen on port 993 and routing all traffic to a default backend, as this is the only server for connections on 993.
Now I want to prevent bruteforce attacks on the imap server, using e.g. fail2ban to block malicious traffic. How would I best achieve this, when the imap server just sees the internal ip adress of the proxy instead of client IP?

Thanks for any help!
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 2014
  • Karma: 194
    • View Profile
Re: Hardening a IMAP server behind HAPROXY // fail2ban
« Reply #1 on: September 04, 2024, 09:41:05 am »
Fail2Ban is okay but 2FA would be better. You could put squirrelmail in front of your IMAP and harden it with client browser certificates as the second factor. It also supports Yubikeys.

https://www.squirrelmail.org/

Bart...
Logged

fritz

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: Hardening a IMAP server behind HAPROXY // fail2ban
« Reply #2 on: September 04, 2024, 10:58:22 am »
thanks bart for replying. Sure, a webmail client can be used with 2FA, but some of the mail users just want to use their iOS mail app or thunderbird or whatever they feel convenient with, so I will need to expose the imap server for them (dovecot in my setup).

Is there a way to forward the client ipv4 to the imap server so fail2ban can be used? Or even better to filter suspicious traffic on opnsense-level?
Logged

Monviech (Cedrik)

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1595
  • Karma: 176
    • View Profile
Re: Hardening a IMAP server behind HAPROXY // fail2ban
« Reply #3 on: September 04, 2024, 11:23:07 am »
Well thats essentially what the HA Proxy Protocol is for:

https://www.haproxy.com/documentation/haproxy-configuration-tutorials/client-ip-preservation/enable-proxy-protocol/

Your Backend Server just needs to understand the "HA Proxy Protocol Header" in order to see the real IP of the clients.

Also, if it is not RAW traffic routing on Layer 4 for IMAP, but a Webmailer on Port 443, you can also use the HTTP Header "X-Forwarded-For".

« Last Edit: September 04, 2024, 11:25:05 am by Monviech »
Logged
Hardware:
DEC740

fritz

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: Hardening a IMAP server behind HAPROXY // fail2ban
« Reply #4 on: September 05, 2024, 01:39:00 am »
Thanks, ha proxy protocol just made it happen! for those who are wondering: dovecot itself (as many other services) is capable of interpreting ha proxy protocol when configured so. proxy protocol can be enabled in the gui, haproxy settings, in the advanced mode settings of the backend pool.

Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • Hardening a IMAP server behind HAPROXY // fail2ban
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2