Configuring fail2ban With SquirrelMail On CentOS 5.3/ISPConfig 3 - Page 2

Want to support HowtoForge? Become a subscriber!
Submitted by gscott187 (Contact Author) (Forums) on Tue, 2009-08-11 11:35. ::

4. Restarting fail2ban

A restart of the fail2ban daemon is required to load the changes made:

service fail2ban restart


5. Testing correct source address logging

cd /var/lib/squirrelmail/prefs
tail -f squirrelmail_access_log

Login to your SquirrelMail Web interface.

SquireelMail interface

In the operating system's terminal window, you will see the source address of the successful login appear in the open squirrelmail_access_log file:

08/03/2009 10:17:33 [LOGIN] (localhost) from XXX.XXX.XX.XX:
08/03/2009 10:18:13 [LOGOUT] (localhost) from XXX.XXX.XX.XX:

Exit your SquirrelMail session but leave the squirrelmail_access_log file open after seeing the correct source address.


6. Testing unauthorised logins

Log in a few times to the SquirrelMail Web interface using incorrect usernames and/or passwords. This will create error events in the squirrelmail_access_log file:

08/03/2009 10:37:35 [LOGIN_ERROR] u37458734 (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect.
08/03/2009 11:22:19 [LOGIN_ERROR] wetwetr (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect.
08/03/2009 11:22:30 [LOGIN_ERROR] 7846587435836 (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect.

Close the squirrelmail_access_log file:


Verify that fail2ban can trap these errors:

fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log /etc/fail2ban/filter.d/squirrelmail.conf

Running tests

Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf
Use log file   : /var/lib/squirrelmail/prefs/squirrelmail_access_log


|- Regular expressions:
|  [1] \[LOGIN_ERROR\].*from : Unknown user or password incorrect
`- Number of matches:
   [1] 14 match(es)

|- Regular expressions:
`- Number of matches:


Addresses found:
    XXX.XXX.XX.XX (Mon Aug 03 10:37:35 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:22:19 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:22:30 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:22:42 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:22:53 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:23:13 2009)
    XXX.XXX.XX.XX (Mon Aug 03 12:21:31 2009)
    XXX.XXX.XX.XX (Mon Aug 03 12:21:41 2009)
    XXX.XXX.XX.XX (Mon Aug 03 12:21:54 2009)
    XXX.XXX.XX.XX (Mon Aug 03 12:22:07 2009)
    XXX.XXX.XX.XX (Mon Aug 03 13:56:36 2009)
    XXX.XXX.XX.XX (Mon Aug 03 13:56:51 2009)
    XXX.XXX.XX.XX (Mon Aug 03 13:57:03 2009)
    XXX.XXX.XX.XX (Mon Aug 03 13:57:16 2009)

Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
38 hit(s): Month/Day/Year Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch

Success, the total number of match is 14

However, look at the above section 'Running tests' which could contain important

The output of fail2ban-regex above verifies that fail2ban is trapping error conditions.


7. Verify iptables extra chain

Iptables will create an extra input chain for SquirrelMail:

service iptables status

Near the top of the output you will see:

3    fail2ban-SquirrelMail  tcp  --             tcp dpt:80 

At the botton of the output you will see:

Chain fail2ban-SquirrelMail (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  

If all of the above tests have been passed, you can deploy fail2ban for SquirrelMail.

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.