Configuring fail2ban With SquirrelMail On CentOS 5.3/ISPConfig 3 - Page 2
4. Restarting fail2banA restart of the fail2ban daemon is required to load the changes made:
service fail2ban restart
5. Testing correct source address logging
Login to your SquirrelMail Web interface.
In the operating system's terminal window, you will see the source address of the successful login appear in the open squirrelmail_access_log file:
08/03/2009 10:17:33 [LOGIN] firstname.lastname@example.org (localhost) from XXX.XXX.XX.XX: 08/03/2009 10:18:13 [LOGOUT] email@example.com (localhost) from XXX.XXX.XX.XX:
Exit your SquirrelMail session but leave the squirrelmail_access_log file open after seeing the correct source address.
6. Testing unauthorised logins
Log in a few times to the SquirrelMail Web interface using incorrect usernames and/or passwords. This will create error events in the squirrelmail_access_log file:
08/03/2009 10:37:35 [LOGIN_ERROR] u37458734 (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect. 08/03/2009 11:22:19 [LOGIN_ERROR] wetwetr (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect. 08/03/2009 11:22:30 [LOGIN_ERROR] 7846587435836 (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect.
Close the squirrelmail_access_log file:
Verify that fail2ban can trap these errors:
fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log /etc/fail2ban/filter.d/squirrelmail.conf
Running tests ============= Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf Use log file : /var/lib/squirrelmail/prefs/squirrelmail_access_log Results ======= Failregex |- Regular expressions: |  \[LOGIN_ERROR\].*from
The output of fail2ban-regex above verifies that fail2ban is trapping error conditions.
7. Verify iptables extra chain
Iptables will create an extra input chain for SquirrelMail:
service iptables status
Near the top of the output you will see:
3 fail2ban-SquirrelMail tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
At the botton of the output you will see:
Chain fail2ban-SquirrelMail (1 references) num target prot opt source destination 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
If all of the above tests have been passed, you can deploy fail2ban for SquirrelMail.