Configuring fail2ban With SquirrelMail On CentOS 5.3/ISPConfig 3

Introduction

This tutorial shows how you can prevent unlimited login attempts and hence brute force attacks against your SquirrelMail Web login by using fail2ban.

1. Requirements

Ensure that both fail2ban and SquirrelMail are installed on a CentOS v5.3/ISPConfig 3 machine detailed here.

However, their installation is straight forward:

yum install fail2ban squirrelmail

You must be actively using iptables as your firewall. Fail2ban works by creating a temporary drop rule for the unauthorised source IP address.

2. SquirrelMail logging configuration

SquirrelMail (imapd) under CentOS v5.3/ISPConfig 3 by default logs to /var/log/maillog but only as IP address 127.0.0.1 (localhost). Since we are trying to ban a specific source address, fail2ban cannot use this file. Therefore, we install and use Squirrel Logger to capture the real source address of the login attempt.

Download and install Squirrel Logger:

cd /usr/share/squirrelmail/plugins
wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3-1.2.7.tar.gz
tar zxvf squirrel_logger-2.3-1.2.7.tar.gz
cd squirrel_logger-2.3-1.2.7
cp config_example.php config.php

Whilst this plugin was the latest version of Squirrel Logger, if there has been a revision upgrade then download it directly from the SquirrelMail Plugins site here.

If your machine uses a local time that is not GMT, use vi to change: $sl_use_GMT = 1 to $sl_use_GMT = 0 in config.php:

Original config.php:

...
// Log dates in GMT?  If you do not do this, dates will
// be logged in whatever timezone each user is in (or
// has set in their personal preferences)
//
//    1 = yes
//    0 = no
//
$sl_use_GMT = 1;
...

Modified config.php:

...
// Log dates in GMT?  If you do not do this, dates will
// be logged in whatever timezone each user is in (or
// has set in their personal preferences)
//
//    1 = yes
//    0 = no
//
$sl_use_GMT = 0;
...

Delete the downloaded Squirrel Logger gzip file:

cd /usr/share/squirrelmail/plugins
rm squirrel_logger-2.3-1.2.7.tar.gz

Configure SquirrelMail to use the Squirrel Logger plugin:

/usr/share/squirrelmail/config/conf.pl

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >>

Select: Plugins

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
  Installed Plugins
    1. delete_move_next
    2. squirrelspell
    3. newmail

  Available Plugins:
    4. listcommands
    5. fortune
    6. filters
    7. translate
    8. abook_take
    9. spamcop
    10. squirrel_logger
    11. mail_fetch
    12. calendar
    13. sent_subfolders
    14. message_details
    15. administrator
    16. info
    17. bug_report

R   Return to Main Menu
C   Turn color on
S   Save data
Q   Quit

Command >> 

Select: squirrel_logger

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
  Installed Plugins
    1. delete_move_next
    2. squirrelspell
    3. newmail
    4. squirrel_logger

  Available Plugins:
    5. listcommands
    6. fortune
    7. filters
    8. translate
    9. abook_take
    10. spamcop
    11. mail_fetch
    12. calendar
    13. sent_subfolders
    14. message_details
    15. administrator
    16. info
    17. bug_report

R   Return to Main Menu
C   Turn color on
S   Save data
Q   Quit

Command >> 

Select: Save data, Quit

3. Fail2ban configuration

Change to the fail2ban configuration directory:

cd /etc/fail2ban

On the assumption that you are using http transport for SquirrelMail, use vi to add the following lines to the jail.conf file:

[squirrelmail-iptables]
enabled  = true
filter   = squirrelmail
action   = iptables[name=SquirrelMail, port=http, protocol=tcp]
           sendmail-whois[name=SquirrelMail, dest=you@your_domain.com, sender=fail2ban@your_domain.com]
logpath  = /var/lib/squirrelmail/prefs/squirrelmail_access_log
maxretry = 4

Ensure that maxretry and email addresses for dest and sender are set to your requirements.

Change to fail2ban filter directory:

cd filter.d

In the filter.d directory, use vi to create a squirrelmail.conf file with the following contents:

# Fail2Ban configuration file
#
# Author: Bill Landry ((email_protected))
#
# $Revision: 510 $

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#         host must be matched by a group named "host". The tag "" can
#         be used for standard IP/hostname matching and is only an alias for
#         (?:::f{4,6}:)?(?P\S+)
# Values: TEXT

failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT

ignoreregex =

Fail2ban needs to recognise the date format used in the squirrelmail_access_log file.

cd /usr/share/fail2ban/server

Use vi, to edit the datedetector.py file and add the following lines between the Apache format and Exim format sections:

# SquirrelMail 09/13/2007 06:43:20
template = DateStrptime()
template.setName("Month/Day/Year Hour:Minute:Second")
template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}")
template.setPattern("%m/%d/%Y %H:%M:%S")
self.__templates.append(template)