Fail2ban botsearch
Today fail2ban banned me. Twice. This is because I’m using a “botsearch” filter, which aims to detect adversary bots which call non-existing endpoints of known web services (like wordpress admin page). Part of it looks like this:
webmail = roundcube|(ext)?mail|horde|(v-?)?webmail
At the same time, out of curiosity, I decided to try Thunderbird and Betterbird. When adding new e-mail address, they do several web requests to auto-detect mail server configuration. They all ended up as HTTP 404, because I don’t host any e-mail infractructure and were detected by fail2ban as “botsearch” queries. Matching nginx logs follow:
<IP> - - [<DATE>] "GET /mail/config-v1.1.xml?emailaddress=<EMAIL> HTTP/1.1" 404 124 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:115.0) Gecko/20100101 Thunderbird/115.10.1"
<IP> - - [<DATE>] "GET /.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=<EMAIL> HTTP/2.0" 404 985 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:115.0) Gecko/20100101 Thunderbird/115.10.1"
<IP> - - [<DATE>] "GET /.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=<EMAIL> HTTP/2.0" 404 985 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:115.0) Gecko/20100101 Thunderbird/115.10.1"
Curiously, fail2ban banned me only on ports 80 and 443, which is neat, because I could SSH to the server and unban myself.
To be honest, I’m not sure what’s the best action now. Disabling part of regular expression responsible for “mail” queries is obvious temporary workaround, but other than infrequent e-mail autoconfig, fail2ban rule is actually useful. Maybe I should just serve this file, which sounds easier than messing around with fragile regular expressions?
For reference, I’m leaving 2 links documenting Thunderbird behavior: