View Issue Details

IDProjectCategoryView StatusLast Update
0002229SOGoBackend Generalpublic2013-02-07 18:02
ReporterArnd Assigned Tojraby 
Status resolvedResolutionfixed 
Product Version2.0.4b 
Fixed in Version2.0.5 
Summary0002229: X-Forwarded-For in sogo.log of fail2ban

In a proxy setup the sogo.log does not show the ip of the acutal client.
This has been discussed in the maillist ( in 2010, however it has not been implemented so far.

Printing the X-Forwarded-For into the logile would help to secure sogo via fail2ban (

To secure the account via LDAP password retries is no good solution, because DOS is possible.

I would be able and willing to implement and post fail2ban configuration, after the implementation of this feature request.

TagsNo tags attached.




2013-02-05 19:13

viewer   ~0005340

Fixed with this commit:

This will be part of the next nightly build, can you test it and confirm that it works as expected?

If you prepare a fail2ban config, consider posting it (mailling list or here), we could include it in the distribution.


2013-02-06 07:55


sogo_mod.log (1,151 bytes)


2013-02-06 07:56

reporter   ~0005352

Last edited: 2013-02-06 08:01

Hi jraby,
thanks for the quick response!
I'm not quite shure when nightly's are done, however from the github code, the logile will now show the ip instead of "localhost" (attached file).

This would do for my purpose, however I would need to write a script to put together the multiline-output to a single-lined-file, as fail2ban does single-line regexp, only. This could be achieved putting the IP into the error line of the password policy:
"Login for user 'scriptKiddy' might not have worked"
=> "Feb 06 08:22:39 sogod [...] Login for user 'scriptKiddy' from '' might not have worked [...]"

Than, the regexp for fail2ban is quite ovious:
fail2ban-regex /var/log/sogo/sogo.log "Login for user '.*' from '<HOST>' might not have worked"

fail2ban does:
Addresses found:
[1] (Wed Feb 06 08:22:39 2013)

so: can you please add a "from '<HOST>'" to the logfile - should be sogod?

ps.: when it works, i'll be happy to provid full fail2ban config for the distro.
pps: the update for libsbjson2.3_4.9.r1664.20130206 works as expected, brillant!



2013-02-06 14:35

viewer   ~0005354

Better now?

Feb 06 09:21:47 sogod [1906]: <0x0x555555dfc760[LDAPSource]> <NSException: 0x5555560b4b90> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{login = "uid=sogo2,ou=people,dc=example,dc=com"; }
Feb 06 09:21:47 sogod [1906]: SOGoRootPage Login from '' for user 'sogo2' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 - - [06/Feb/2013:09:21:47 GMT] "POST /SOGo/connect HTTP/1.1" 403 34/37 0.006 - - 0

Feb 06 09:22:14 sogod [1906]: SOGoRootPage successful login from '' for user 'sogo2' - expire = -1 grace = -1 - - [06/Feb/2013:09:22:14 GMT] "POST /SOGo/connect HTTP/1.1" 200 27/37 0.059 - - 4K

As per the commit message, keep in mind that the x-forwarded-for header may contain more than one ip separated by a coma if the request went through more than one proxy.
eg: X-Forwarded-For: client, proxy1, proxy2



2013-02-06 15:15

reporter   ~0005358

Now thats awesome, thank you!
i'll prepare jail2ban configruation/filters till tomorow for the nightly and tets them. If all's fine, i'll attach configurations to this bug and tickend can be closed - and i'll mail to

I will then hopefully be able to support comma separated ips for multi-hops, or at least to use the first one (orignial client), only.



2013-02-07 11:07

reporter   ~0005369

Hi jraby,
worked like a charm, so the fail2ban configuration is:

  1. Add jail to /etc/fail2ban/jail.local

    enabled = true
    port = http,https

    in proxy-free setup this would be:

    port = 20000

    filter = sogo
    logpath = /var/log/sogo/sogo.log
    maxretry = 5

  2. add filter: /etc/fail2ban/filter.d/sogo.conf



    Fail2Ban configuration file

    By Arnd Brandes




    Option: failregex

    Filter Ban in /var/log/sogo/sogo.log

    Note: the error log may contain multiple hosts, whereas the first one

    is the client and all others are poxys. We match the first one, only

    failregex = Login from '<HOST>.' for user '.' might not have worked

    Option: ignoreregex

    Notes.: regex to ignore. If this regex matches, the line is ignored.

    Values: TEXT

    ignoreregex =


Thank you very much, I think this feature request is compleated now!


Issue History

Date Modified Username Field Change
2013-02-05 15:07 Arnd New Issue
2013-02-05 19:07 jraby Status new => assigned
2013-02-05 19:07 jraby Assigned To => jraby
2013-02-05 19:13 jraby Note Added: 0005340
2013-02-05 19:13 jraby Status assigned => feedback
2013-02-06 07:55 Arnd File Added: sogo_mod.log
2013-02-06 07:56 Arnd Note Added: 0005352
2013-02-06 07:57 Arnd Note Edited: 0005352
2013-02-06 08:01 Arnd Note Edited: 0005352
2013-02-06 14:35 jraby Note Added: 0005354
2013-02-06 15:15 Arnd Note Added: 0005358
2013-02-07 11:07 Arnd Note Added: 0005369
2013-02-07 18:02 jraby Status feedback => resolved
2013-02-07 18:02 jraby Resolution open => fixed
2013-02-07 18:02 jraby Fixed in Version => 2.0.5