Fixed with this commit: https://github.com/inverse-inc/sope/commit/b45dbb52984cc5dd62c5a5e589f164dbbc26309f

This will be part of the next nightly build, can you test it and confirm that it works as expected?

If you prepare a fail2ban config, consider posting it (mailling list or here), we could include it in the distribution.

Thanks.

Hi jraby,
thanks for the quick response!
I'm not quite shure when nightly's are done, however from the github code, the logile will now show the ip instead of "localhost" (attached file).

This would do for my purpose, however I would need to write a script to put together the multiline-output to a single-lined-file, as fail2ban does single-line regexp, only. This could be achieved putting the IP into the error line of the password policy:
"Login for user 'scriptKiddy' might not have worked"
=> "Feb 06 08:22:39 sogod [...] Login for user 'scriptKiddy' from '1.2.3.4' might not have worked [...]"

Than, the regexp for fail2ban is quite ovious:
fail2ban-regex /var/log/sogo/sogo.log "Login for user '.*' from '<HOST>' might not have worked"

fail2ban does:
...
Addresses found:
[1]
1.2.3.4 (Wed Feb 06 08:22:39 2013)
...

so: can you please add a "from '<HOST>'" to the logfile - should be sogod?

ps.: when it works, i'll be happy to provid full fail2ban config for the distro.
pps: the update for libsbjson2.3_4.9.r1664.20130206 works as expected, brillant!

Better now?

https://github.com/inverse-inc/sogo/commit/f8387b90ffd3f016f4a4de88577b1280a84aefc8

<pre>
Feb 06 09:21:47 sogod [1906]: <0x0x555555dfc760[LDAPSource]> <NSException: 0x5555560b4b90> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{login = "uid=sogo2,ou=people,dc=example,dc=com"; }
Feb 06 09:21:47 sogod [1906]: SOGoRootPage Login from '192.168.1.31' for user 'sogo2' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
192.168.1.31 - - [06/Feb/2013:09:21:47 GMT] "POST /SOGo/connect HTTP/1.1" 403 34/37 0.006 - - 0

Feb 06 09:22:14 sogod [1906]: SOGoRootPage successful login from '192.168.1.31' for user 'sogo2' - expire = -1 grace = -1
192.168.1.31 - - [06/Feb/2013:09:22:14 GMT] "POST /SOGo/connect HTTP/1.1" 200 27/37 0.059 - - 4K
</pre>

As per the commit message, keep in mind that the x-forwarded-for header may contain more than one ip separated by a coma if the request went through more than one proxy.
eg: X-Forwarded-For: client, proxy1, proxy2

Now thats awesome, thank you!
i'll prepare jail2ban configruation/filters till tomorow for the nightly and tets them. If all's fine, i'll attach configurations to this bug and tickend can be closed - and i'll mail to users@sogo.nu

I will then hopefully be able to support comma separated ips for multi-hops, or at least to use the first one (orignial client), only.

Hi jraby,
worked like a charm, so the fail2ban configuration is:

1. Add jail to /etc/fail2ban/jail.local

   [SOGo]
   enabled = true
   port = http,https

   in proxy-free setup this would be:

   port = 20000

   filter = sogo
   logpath = /var/log/sogo/sogo.log
   maxretry = 5
   <<<

2. add filter: /etc/fail2ban/filter.d/sogo.conf

   /etc/fail2ban/filter.d/sogo.conf

   #

   Fail2Ban configuration file

   By Arnd Brandes

   SOGo

   #

   [Definition]

   Option: failregex

   Filter Ban in /var/log/sogo/sogo.log

   Note: the error log may contain multiple hosts, whereas the first one

   is the client and all others are poxys. We match the first one, only

   failregex = Login from '<HOST>.' for user '.' might not have worked

   Option: ignoreregex

   Notes.: regex to ignore. If this regex matches, the line is ignored.

   Values: TEXT

   #
   ignoreregex =

<<<

Thank you very much, I think this feature request is compleated now!

Greez
Arnd