Mailcow-dockerized: secure web interface

Maybe even add a re-captcha?

WTF.

The mailcow UI already can be secured with the use of two factor
authentication. Where and why do you want additional http authentication?

For some guidance on fail2ban, please check the documentation.

Am 10. Mai 2017 11:31:05 schrieb Marc Went notifications@github.com:

Would it be possible to combine either/or fail2ban and/or nginx basic auth
on top of the already existing login page?
One more line of defence I assume.

And I'd like to disable the:
X-Powered-By: PHP/7.1.4 header (at least the version number)

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/mailcow/mailcow-dockerized/issues/262

I think the two factor is enough, adding re-captcha is only going to slow down a brute force attack, but with two factor turn on even if someone did know the password without the 2FA code or device they not going to get in anyway.

Re-captcha is a pain in the a** anyway.

To give a closing comment:
To secure the mailcow UI against unauthorized access, mailcow already incorporates a few techniques:

1. Two factor authentication: https://en.wikipedia.org/wiki/Multi-factor_authentication
2. Delayed Logins (the delay gets increased with each failed login attempt).

If that is not enough for you, you need to deploy your own measures.

A link to the fail2ban part in our documentation: https://mailcow.github.io/mailcow-dockerized-docs/firststeps-syslog/

If you encounter any problems with your fail2ban setup, please feel free to ask for help in the forums: https://forum.mailcow.email

I know this issue is already closed, but another way of securing the mailcow ui is to restrict the access by ip and subnetworks in nginx. For this, open:
<mailcow_root>/data/conf/nginx/site.conf/nginx/site.conf

Then look for "listen 127.0.0.1:65510;" and add the following lines after it:

#Allow subnetwork 1
allow aaa.bbb.ccc.0/24;

#Allow subnetwork 2
allow ddd.eee.fff.0/28;

#Allow ip
allow ggg.hhh.iii.jjj;

#deny for everybody else
deny all;

Replace the ips and masks by your networks and hosts.

Then restart your mailcow nginx server:

docker-compose stop nginx-mailcow
docker-compose start nginx-mailcow

This assumes that you and your users access the mailcow ui from the same networks, which works in my case. If this isn't the case, then you could try to setup a vpn server.

Anyway, I'm also using two factor auth and fail2ban. The ip restriction lowers the number of attackers.

Thanks. :) the file site.blabla.custom should pe preferred. Check https://mailcow.github.io/mailcow-dockerized-docs/u_e-nginx/

Thanks for the comment. I will do it that way