oss/Radicale
oss/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-06-26 16:45:52 +00:00
Code Wiki Activity
Page: Fail2Ban Setup
Pages
01 ‐ Reporting Issues 02 ‐ Contributions C*DAV explanations Client InfCloud Client Status Client Thunderbird Client pimsync Collection Storage Collection type VSUBSCRIBED (Webcal) Current Maintainers Contributors Development Testing Release Donations Fail2Ban Setup Home Installing on Debian Linux Installing on Docker Installing on OpenBSD LDAP authentication Performance Tuning Production ready installation Radicale Custom DAV protocol extensions Radicale Internals Reverse Proxy Diagnostics Troubleshooting Reverse Proxy Hints Server Diagnostics Troubleshooting Sharing Collections Simple installation
4 Fail2Ban Setup
Peter Bieringer edited this page 2024-09-24 07:49:04 +02:00
Table of Contents

Radicale >= 3.0.0

(i) Radicale >= 3.0.0 logs to stdout which is usually catched by 'systemd/journald'

Radicale without reverse proxy

filter configuration

Example: /etc/fail2ban/filter.d/radicale.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Failed\slogin\sattempt\sfrom\s<HOST>:\s.*

[Init]

jail configuration

Example: /etc/fail2ban/jail.d/90-radicale.conf

Adjust port according to configuration

[radicale]
enabled = true
port = 5232
filter = radicale
banaction = %(banaction_allports)s[name=radicale]
backend = systemd
journalmatch = _SYSTEMD_UNIT=radicale.service
maxretry = 2
bantime = -1
ignoreip = 127.0.0.1
findtime = 14400

Testing

Create a request with an invalid user

curl -u testerror:testerror http://localhost:5232/testerror

Check regular expression match

fail2ban-regex systemd-journal -m _SYSTEMD_UNIT=radicale.service /etc/fail2ban/filter.d/radicale.conf
...
lines: ... lines, ... ignored, 1 matched, ... missed
...

Radicale behind reverse proxy

filter configuration

Example: /etc/fail2ban/filter.d/radicale.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Failed\slogin\sattempt\sfrom\s.*\(forwarded for \'<HOST>\'.*\):\s.*

[Init]

jail configuration

Example: /etc/fail2ban/jail.d/90-radicale.conf

Adjust port according to your reverse proxy configuration

[radicale]
enabled = true
port = 80, 443
filter = radicale
banaction = %(banaction_allports)s[name=radicale]
backend = systemd
journalmatch = _SYSTEMD_UNIT=radicale.service
maxretry = 2
bantime = -1
ignoreip = 127.0.0.1
findtime = 14400

Legacy example

To use Fail2Ban with radicale change Logging to INFO

Configs for fail2ban

filter http/https:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*\sfor\s\'\/\'\sreceived\sfrom\s\'<HOST>\'.*\n^^.*Failed\slogin\sattempt:\s
ignoreregex =

[Init]
maxlines = 4

filter webdav:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Failed\slogin\sattempt.*\n^.*\n^.*\s\'\/.well\-known.*\sfrom\s\'<HOST>\'
ignoreregex =

[Init]
maxlines = 3

jail:

[radicale]
enabled = true
port = 80,443
filter = radicale
action = iptables-allports[name=radicale]
logpath = /var/log/remotelogs/192.168.50.115/radicale-logins.log
maxretry = 2
bantime = -1
ignoreip = 192.168.50.0/24
findtime = 14400