Mailcow-dockerized: Ban / unban IP's via the API

Hi, not yet, I can try to implement it in the next days.

Great. Please let me know if I can help in any way, like testing.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

I have done this with the following command in a shell script running on the same machine
curl -X POST https://EXAMPLE.ORG/api/v1/edit/fail2ban -d attr="{"ban_time":"1800","max_attempts":"10","retry_window":"600","netban_ipv4":"24","netban_ipv6":"64","whitelist":"IP1\r\nIP2","blacklist":""}" -H "X-API-Key: ABCD1234ABCD1234"
Unfortunately it stopped working some days ago and I'm still trying to fix it...

It's in the api logs within system&configuration, though...

What happens when ou set whitelist: 1.2.3.4 and blacklist: 2.3.4.5?

Unfortunately no difference.
My API Key and accepted IPs (in .env) haven't changed, but I updated mailcow dockerized some days ago. Is there any way to check when I last updated? Because I know when the script was called the last time (per cron). This way I could find out if it happened after the update or failed even before.

Something else: first time I got this running was with a dockerized version on 2018-12-01, last time it worked was on 2018-12-13, first time it failed was on 2019-01-27, but I have added one IP in the blacklist via website in between (2019-01-23).

I know the API still sucks a lot, but this works:

curl -4 -X POST https://mx.mailcow.email/api/v1/edit/fail2ban -d attr='{"ban_time":"1800","max_attempts":"10","retry_window":"600","netban_ipv4":"24","netban_ipv6":"64","whitelist":"1.2.3.4,4.3.2.1","blacklist":"5.6.7.8"}' -H "X-API-Key: 001FC1-0145BC-C868B5-9A04E4-XYZXY"

Does you command return anything in the console?

No returns in the console. I have tried the commas instead of line feeds, added ipv4 - it did not help yet. I also just updated my mailcow with the update.sh script, still no success but still trying to figure it out.

(I hope the API-Key in your example is not the real one. Mine looks different but should be correct (slightly changed) according to the documentation: API_KEY=HAS8JK2B4OAEKLC40D28DJQEM)

And now I know why my monit checks do not trigger fail2ban anymore.
Anyway: still trying to figure out, why my update fails.

In the shown commit we removed a fail2ban check, not added. :)

Can you please pull data/web/inc/sessions.inc.php from git and test again? You should see an error message now with your API request.

In the shown commit we removed a fail2ban check, not added. :)

Right, prior to this my own server was banned because monit checked it, did not login and => ban. Now even with the missing update of the whitelist, my monit checks did not lead to the ban.

Can you please pull data/web/inc/sessions.inc.php from git and test again? You should see an error message now with your API request.

Finally! And my own fault, the answer was: {"type":"error","msg":"api access denied for ip 1XX.1XX.113.1XX"}
My IP on the server changed after the last boot from 1XX.1XX.1_1_3.1XX to 1XX.1XX.1_3_3.1XX (all digits the same, just one changed!), I did not see that and did not update .env. Now I am about to configure a static IP in my webhoster's admin panel.

Thank you so much for the fast update!

Ahh, the _missing_ update. :-) Sorry.

Nah, thanks for detecting a very serious bug (logging with failed API auth, when API is enabled).

You can btw. ban/unban by API like this:

curl -4 -X POST https://mx.mailcow.email/api/v1/edit/fail2ban -d attr='{"action":"blacklist","network":"5.1.76.1"}' -H "X-API-Key: 001FC1-0145BC-C868B5-9A04E4-XXXXX" | jq .

action can be whitelist, too. "blacklist" will now restart netfilter-mailcow. This only happens with API calls, not by changes via UI (there is a button to restart netfilter-mailcow though).

Currently your last suggestion (pulled from master some minutes ago) is not working correctly for me (no changes visible in the UI), the "old" style still does it.

This works for sure:

curl -4 -X POST https://mx.mailcow.email/api/v1/edit/fail2ban -d attr='{"action":"blacklist","network":"5.1.76.5"}' -H "X-API-Key: 001FC1-0145BC-C868B5-9A04E4-BLA"

Just tested it again. It works for a single IP/network only.

Ah, thanks again - I've tried it with lists, so maybe the response should be corrected. I got:

[
  {
    "type": "success",
    "log": [
      "fail2ban",
      "edit",
      {
        "network": "3.4.5.6,1.1.1.1",
        "action": "blacklist"
      }
    ],
    "msg": [
      "object_modified",
      "3.4.5.6,1.1.1.1"
    ]
  }
]

Yes, should be changed.

Edit: Fixed with the next update.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.