Configuring fail2ban With SquirrelMail On Debian Lenny 5.0/ISPConfig 3

In this article I will show how to prevent brute force attacks with Fail2ban against your SquirrelMail Web login using the Squirrel Logger plugin.

1. Requirements

Ensure that fail2ban and SquirrelMail are installed on a Debian Lenny/ISPConfig 3 machine.
To install ISPConfig 3 + SquirrelMail, please folow this guide.
To install fail2ban, please folow this guide.

2. Squirrel Logger

Download and install Squirrel Logger:

cd /usr/share/squirrelmail/plugins
wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3-1.2.7.tar.gz
tar zxvf squirrel_logger-2.3-1.2.7.tar.gz
cd squirrel_logger
cp config_example.php config.php

Configure Squirrel Logger:

vi config.php

If your server doesn't use the GTM local time, please change $sl_use_GMT = 1 to $sl_use_GMT = 0 :

...
// Log dates in GMT?  If you do not do this, dates will
// be logged in whatever timezone each user is in (or
// has set in their personal preferences)
//
//    1 = yes
//    0 = no
//
$sl_use_GMT = 0;
...

Change the location of your log file from $sl_logfile = $data_dir . 'squirrelmail_access_log'; to $sl_logfile = '/var/log/squirrelmail.log'; :

...
// The location of your log file when logging to file.
// Make sure the user your webserver runs as can write
// to this file.  Use the $data_dir variable if you
// want to place the log file in the SquirrelMail data
// directory.
//
// Only applicable when $sl_logs includes "file".
//
// $sl_logfile = $data_dir . 'squirrelmail_access_log';
$sl_logfile = '/var/log/squirrelmail.log';
...

Change the date format to match the fail2ban regex from $sl_dateformat = 'm/d/Y H:i:s'; to $sl_dateformat = 'M j H:i:s'; :

...
// Specify what date format you want
//
// See the PHP manual for the date function for help
// at http://www.php.net/manual/function.date.php
//
// examples:
//
//    'm/d/y H:i:s'     ==  03/10/2001 05:16:08
//    'F j, Y, g:i a'   ==  March 10, 2001, 5:16 am
//    'D M j Y H:i:s T' ==  Sat Mar 10 2001 15:16:08 CDT
//
// $sl_dateformat = 'm/d/Y H:i:s';
$sl_dateformat = 'M j H:i:s';
... 

Create a new squirrelmail.log file in /var/log/:

touch /var/log/squirrelmail.log
chown www-data:www-data /var/log/squirrelmail.log
chmod 640 /var/log/squirrelmail.log

Clean the installation:

cd ..
rm squirrel_logger-2.3-1.2.7.tar.gz

Configure SquirrelMail to use the Squirrel Logger plugin:

squirrelmail-configure

...
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
... 

Select "Plugins", in my case, number 8.

...
18. spamcop
19. squirrel_logger
20. squirrelspell
21. test
... 

Select squirrel_logger, in my case, number 19.

...
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
4. squirrel_logger
... 

Now squirrel_logger is part of the Installed Plugins.
Save data "S" and Quit "Q".

3. Fail2ban Configuration

Configure fail2ban to use the SquirrelMail Log:

cd /etc/fail2ban

Open and add the following lines to the jail.local file. If you don't have this file, use the default jail.conf.

vi jail.local

[squirrelmail]

enabled = true
port = http,https
filter = squirrelmail
logpath = /var/log/squirrelmail.log
bantime = 300
maxretry = 4 

Please ensure that bantime (in seconds) and maxretry are set to your requirements.

In the filter.d directory, create a squirrelmail.conf file with the following contents:

cd filter.d
vi squirrelmail.conf

# Fail2Ban configuration file
#
# Author: Bill Landry ((email_protected))
#
# $Revision: 510 $

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#         host must be matched by a group named "host". The tag "" can
#         be used for standard IP/hostname matching and is only an alias for
#         (?:::f{4,6}:)?(?P\S+)
# Values: TEXT

failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT

ignoreregex = 

IMPORTANT: if you are using another language than English, please change the line "failregex" with the text that squirrelmail.log shows you in point 5.

Example: with the Spanish language, I get this in the log file.

Aug 20 15:26:06 [LOGIN_ERROR] user@domain.com (server.domain.com) from XXX.XXX.XX.XX: Usuario o contraseña incorrecto. 

So, I make this change:

failregex = \[LOGIN_ERROR\].*from <HOST>: Usuario o contraseña incorrecto

...and restart fail2ban.

/etc/init.d/fail2ban restart

5. Testing the installation

cd /var/log
tail -f squirrelmail.log

Log in "3" times to the SquirrelMail Web interface using "incorrect passwords".
This procedure shows you the failed login attempts in terminal windows:

Aug 19 13:57:20 [LOGIN_ERROR] user@domain.com (server.domain.com) from XXX.XXX.XX.XX: Unknown user or password incorrect.
Aug 19 13:57:34 [LOGIN_ERROR] user@domain.com (server.domain.com) from XXX.XXX.XX.XX: Unknown user or password incorrect.
Aug 19 13:57:46 [LOGIN_ERROR] user@domain.com (server.domain.com) from XXX.XXX.XX.XX: Unknown user or password incorrect.

Close the squirrelmail.log file:

Ctrl-c

Verify that fail2ban-regex can trap these errors:

fail2ban-regex /var/log/squirrelmail.log /etc/fail2ban/filter.d/squirrelmail.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf
Use log file   : /var/log/squirrelmail.log


Results
=======

Failregex
|- Regular expressions:
|  [1] \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect
|
`- Number of matches:
   [1] 3 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    200.113.105.235 (Wed Aug 19 13:57:20 2009)
    200.113.105.235 (Wed Aug 19 13:57:34 2009)
    200.113.105.235 (Wed Aug 19 13:57:46 2009)

Date template hits:
3 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601

Success, the total number of match is 3

However, look at the above section 'Running tests' which could contain important
information.

If you see this line, everything is ok: Success, the total number of match is 3

6. Let's test our Fail2ban

Log in "4" times (or more, depending of your maxretry setup) to the SquirrelMail Web interface using "incorrect passwords".

When you get blocked, that means that you can't see the login page, please execute:

iptables -L

Now you can see your blocked IP xxx-xxx-xxx-xxx in the iptables output.

Chain fail2ban-squirrelmail (1 references)
target     prot opt source               destination
DROP       all  --  xxx-xxx-xxx-xxx.your.isp.info  anywhere
RETURN     all  --  anywhere             anywhere 

Good luck ;)