Score:0

Iredmail web presentation + mod security

cn flag

Any one tried to implement iredmail with mod security? My English is also not so good, I hope you understand my reasons. Thanks for your help in advance.

I have installed iredmail + web presentation on nginx but i have problem with modsec rules. I used apache2 + mod sec before. I implemented custom rules like rbl or drop .php or .env request, for example. You can find my examples below, wich i used by apache2. Rbl rule

SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,id:171,t:none,pass,log,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.an>
 setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"

.php rule

SecRule REQUEST_LINE "@contains .php" "phase:1,id:150,drop,status:444,log,t:none,t:urlDecode,t:lowercase,t:normalizePath,msg:'Request contains .php file'"

.env rule

SecRule REQUEST_LINE "@contains .env" "phase:1,id:155,drop,status:444,log,t:none,t:urlDecode,t:lowercase,t:normalizePath,msg:'Request contains .env file'"

It is worked very good on apache, spamers kiss ..... :) but it is drop incorrectly on iredmail with nginx.

Rbl not drop at all. I tried RBL from projecthonejpot but it is the same. For example, if i try www.example.com/index.php so it dropping good but some request from spammers kill me. I don't know, from which it come but the request was killed on apache.

Below is access.log.

184.168.103.230 - - [08/Feb/2022:17:33:28 +0100] "GET /wp-login.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
184.168.103.230 - - [08/Feb/2022:17:33:31 +0100] "GET /wp-login.php HTTP/1.1" 404 47 "http://example.com/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

Below is error.log

2022/02/08 17:33:31 [error] 1036473#1036473: *232 FastCGI sent in stderr: "Primary script unknown" while reading response header 
from upstream, client: 184.168.103.230, server: domain.com, request: "GET /wp-login.php HTTP/1.1", upstream: 
"fastcgi://127.0.0.1:9999", host: "example.com", referrer: "http://example.com/wp-login.php"

Mod sec do not drop it by rule .php but if it was dropped the error log looks like below.

2022/02/08 18:28:29 [error] 1036473#1036473: *238 [client 173.212.214.140] ModSecurity: Access denied with code 444 (phase 1). 
Matched "Operator `Contains' with parameter `.php' against variable `REQUEST_LINE' (Value: `GET /wp-login.php HTTP/1.1' ) 
[file "/etc/nginx/modsecurity/modsecurity.conf"] [line "279"] [id "150"] [rev ""] [msg "Request contains .php file"] [data ""] 
[severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "xxxx"] [uri "/wp-login.php"] [unique_id "1644341309"] 
[ref "o13,4v0,26t:urlDecode,t:lowercase,t:normalizePath"], client: 173.212.214.140, server: example.com, request: "GET /wp-login.php HTTP/1.1", 
host: "example.com", referrer: "http://example.com/wp-login.php"

On this situation, it was some time dropped but some times not. For example it was dropped all time on apache. Below is my nginx config. 00-default.conf:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen server ip:80 default_server;
    listen [server ip6::1]:80 default_server;
    server_name _;

    return 444;

}

server {
    # Listen on ipv4
    listen server ip:80;
    listen [server ip::6]:80;
    server_name mail.example.com;

    root /var/www/html;
    index index.html robots.txt;

    # Redirect all insecure http:// requests to https://
    return 301 https://$host$request_uri;

    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;

    location / {
        try_files $uri $uri/ =404;
    }

    #Remove Unwanted HTTP Methods
    if ($request_method !~ ^(GET|POST)$) {
        return 444;
    }
}

00-default-ssl.conf:

server {
    listen 443 default_server;
    listen [::]:443 default_server;
    listen 1server ip:443 default_server;
    listen [server ip::6]:443 default_server;
    server_name _;

    ssl_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.example.com/privkey.pem; # managed by Certbot

    return 444;

}

server {
    listen server ip:443 ssl http2;
    listen [server ip::6]:443 ssl http2;
    server_name mail.example.com;

    root /var/www/html;
    index index.php index.html;

    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/iredadmin.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;

    #Remove Unwanted HTTP Methods
    if ($request_method !~ ^(GET|POST)$) {
        return 444;
    }

    location / {
        try_files $uri $uri/ =404;
    }
}

mydomaine.conf:

server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;

      location / {
          return 444;
      }

}


server {
    listen server ip:443 ssl http2;
    listen [server ip::6]:443 ssl http2;
    root /var/www/html/example.com;
    index index.html robots.txt;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;

    location / {
        try_files $uri $uri/ =404;
    }

        error_page 404 /404/index.html;

}

Maybe i do not understand iredmail conception, im not a redmail admin. Iredmail is good solutions but some time it use not profi :) as a result it is not drop request from spamers.

Thanks for your helps.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.