Full Domino Fail2Ban Integration
Daniel Nashed – 20 March 2022 10:25:40
This week we tried to get Domino 12.0.1 IP based blocking working for our DNUG server.
It turns out to work great for the HTTP protocol. But our Sametime server got blocked on port LDAPS when verifying log-in information via LDAPS.
There are a couple of details to learn from
- IP based blocking in Domino 12.0.1 works on all protocols --> which is great
- Only HTTP supports trusted proxy settings using X-FORWARD headers to block the real IP
- Protocols like LDAP have no option to pass the originating IP
- Sametime as an application might want to implement a mechanism to prevent burteforce attempts
This sounds like one new AHA idea for Domino and Sametime each.
There isn't a work around for Domino 12.0.1. But for Linux there is fail2ban.
Improvements for Domino fail2ban integration
I had an earlier implementation, which turned out to need updates, because the regular expression for finding the string and the date, did not work any more.
The fail2ban integration reads the log-in failures from Start Script log.
And it comes with flexible configuration including white listing IPs like our Sametime server
When looking into it I found also a couple of details to improve:
- It needs manual configuration --> a setup script would be good
- Using the fail2ban commands might not be easy, when you are not using them any day --> having a small script would be cool
- You had to disable SELinux. It wasn't supported with Domino so I did not look into it in detail and just described how to disable it.
Today SELinux is high on the wish list for the next Domino release. I run it already on my hosted production machines.
That's why I took a look what is missing
The SELinux story would be something for a separate blog post or page in the start script documentation.
But I am working on a "domban" script which automates all your fail2ban operations from installation and config to operations and SELinux configuration.
Here is what I got working so far. It's not yet in the downloadable start script version.
It is already part for the start script and I wrote a basic documentation --> https://nashcom.github.io/domino-startscript/fail2ban/
Your feedback
So if anyone wants to look into it, just grab it from GitHub.
I would really like your feedback on this and other Linux additions.
When it comes to security, it is often getting complicated.
I love Linux and Domino in combination as a platform.
So I want to help making it even easier to use in a secure way.
What else is missing? I thought about adding a standard sshd configuration.
This would also include documentation how to secure your Linux server.
And I would add the configuration to the "extra" directory in the the Domino Start Script GitHub repository along with a new documentation page.
Fail2ban will also get it's own page on https://nashcom.github.io/domino-startscript/
And I will also go back in time and update my existing blog post ..
See the current state of functionality as of this morning.
All the manual steps are gone. But I will describe again all the steps usually required to be configured manually later.
-- Daniel
domban help
Domino Fail2Ban
---------------
Syntax: domban
ssh Show status of SSH jail (no parameter = show Domino jail)
unblock
cfg Configure fail2ban jail.local. Default editor: vi. Use e.g. export EDIT_COMMAND=nano
log
status Show systemd fail2ban status
restart Restart fail2ban service
systemd
install [upd] Install fail2ban and 'domban' script - 'upd' overwrites existing 'jail.local'
test
- No parameter shows Domino jail status
selinux Show SELinux status
selinux logset Lable start script log file with fail2ban access
selinux logdel Remove label for start script log
selinux relable Relable log files
domban selinux
--------------------------------------------------------------------------------
Domino Fail2Ban SELinux Status
--------------------------------------------------------------------------------
SELinux Status : Enforcing
Domino log file : /local/log/notes.log
Log Status : OK
- Comments [1]