Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
Hardening a IMAP server behind HAPROXY // fail2ban
« previous
next »
Print
Pages: [
1
]
Author
Topic: Hardening a IMAP server behind HAPROXY // fail2ban (Read 889 times)
fritz
Newbie
Posts: 3
Karma: 0
Hardening a IMAP server behind HAPROXY // fail2ban
«
on:
September 04, 2024, 01:43:11 am »
Hello, I'm new to opnsense, maybe someone is able to help with this:
I'm hosting a IMAP Server in a VLAN, reverse proxied by opnsense haproxy plugin. SSL is offloaded by haproxy, the proxying takes place in TCP mode (layer4), public service is configured to listen on port 993 and routing all traffic to a default backend, as this is the only server for connections on 993.
Now I want to prevent bruteforce attacks on the imap server, using e.g. fail2ban to block malicious traffic. How would I best achieve this, when the imap server just sees the internal ip adress of the proxy instead of client IP?
Thanks for any help!
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Hardening a IMAP server behind HAPROXY // fail2ban
«
Reply #1 on:
September 04, 2024, 09:41:05 am »
Fail2Ban is okay but 2FA would be better. You could put squirrelmail in front of your IMAP and harden it with client browser certificates as the second factor. It also supports Yubikeys.
https://www.squirrelmail.org/
Bart...
Logged
fritz
Newbie
Posts: 3
Karma: 0
Re: Hardening a IMAP server behind HAPROXY // fail2ban
«
Reply #2 on:
September 04, 2024, 10:58:22 am »
thanks bart for replying. Sure, a webmail client can be used with 2FA, but some of the mail users just want to use their iOS mail app or thunderbird or whatever they feel convenient with, so I will need to expose the imap server for them (dovecot in my setup).
Is there a way to forward the client ipv4 to the imap server so fail2ban can be used? Or even better to filter suspicious traffic on opnsense-level?
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1614
Karma: 176
Re: Hardening a IMAP server behind HAPROXY // fail2ban
«
Reply #3 on:
September 04, 2024, 11:23:07 am »
Well thats essentially what the HA Proxy Protocol is for:
https://www.haproxy.com/documentation/haproxy-configuration-tutorials/client-ip-preservation/enable-proxy-protocol/
Your Backend Server just needs to understand the "HA Proxy Protocol Header" in order to see the real IP of the clients.
Also, if it is not RAW traffic routing on Layer 4 for IMAP, but a Webmailer on Port 443, you can also use the HTTP Header "X-Forwarded-For".
«
Last Edit: September 04, 2024, 11:25:05 am by Monviech
»
Logged
Hardware:
DEC740
fritz
Newbie
Posts: 3
Karma: 0
Re: Hardening a IMAP server behind HAPROXY // fail2ban
«
Reply #4 on:
September 05, 2024, 01:39:00 am »
Thanks, ha proxy protocol just made it happen! for those who are wondering: dovecot itself (as many other services) is capable of interpreting ha proxy protocol when configured so. proxy protocol can be enabled in the gui, haproxy settings, in the advanced mode settings of the backend pool.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
Hardening a IMAP server behind HAPROXY // fail2ban