HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   SquirrelMail/imap/pop3 fail2ban IP address (http://www.howtoforge.com/forums/showthread.php?t=37870)

gscott187 31st July 2009 17:32

SquirrelMail/imap/pop3 fail2ban IP address
 
I'm running ISPConfig3 on Centos 5.3 as per the installation instructions at this site. When configuring fail2ban for trapping SquirrelMail failed logins, I notice the following in /var/log/maillog:

Jul 31 15:23:55 server_name imapd: LOGIN FAILED, user=45354, ip=[::ffff:127.0.0.1]
Jul 31 15:24:04 server_name imapd: LOGIN FAILED, user=34566, ip=[::ffff:127.0.0.1]
Jul 31 15:24:14 server_name imapd: LOGIN FAILED, user=56757, ip=[::ffff:127.0.0.1]
Jul 31 15:24:26 server_name imapd: LOGIN FAILED, user=4566, ip=[::ffff:127.0.0.1]

Each failed login generates an entry but with IP address 127.0.0.1 (localhost) and hence fail2ban cannot really action the iptables ban because there's no public IP address in the maillog file.

Does anyone have any ideas how a real IP address might be captured to enable fail2ban to do it's stuff? fail2ban works well on the system for ssh and ftp but they use a different logfile.

falko 1st August 2009 10:26

Quote:

Originally Posted by gscott187 (Post 199802)
Jul 31 15:23:55 server_name imapd: LOGIN FAILED, user=45354, ip=[::ffff:127.0.0.1]
Jul 31 15:24:04 server_name imapd: LOGIN FAILED, user=34566, ip=[::ffff:127.0.0.1]
Jul 31 15:24:14 server_name imapd: LOGIN FAILED, user=56757, ip=[::ffff:127.0.0.1]
Jul 31 15:24:26 server_name imapd: LOGIN FAILED, user=4566, ip=[::ffff:127.0.0.1]

This is ISPConfig's monitoring module, trying to find out if imapd is still running. Nothing to worry about. :)

gscott187 2nd August 2009 21:00

Quote:

Originally Posted by falko (Post 199864)
This is ISPConfig's monitoring module, trying to find out if imapd is still running. Nothing to worry about. :)

Thanks for your reply.

I can confirm that imapd is still running. What I really wanted was to be able to ban (using fail2ban) repeated unsuccessful login attempts through SquirrelMail's Web interface. To be able to do this would involve knowing the real IP address. However, /var/log/maillog only contains IP address 127.0.0.1.

falko 3rd August 2009 09:51

Quote:

Originally Posted by gscott187 (Post 199973)
However, /var/log/maillog only contains IP address 127.0.0.1.

Yes, because ISPConfig connects from localhost (127.0.0.1).

gscott187 3rd August 2009 15:16

fail2ban and SquirrelMail step by step instructions
 
I've now sucessfully set-up fail2ban with SquirrelMail for ISPConfig3 on CentOS v5.3 using the Squirrel Logger plugin to limit the number of login attempts. If there's any interest in how to do this, I'll write it up and post it. Whilst the process is covered in a few Web places, there are some steps that could cause frustration :)

Let me know if there's any interest?

falko 4th August 2009 13:31

A tutorial would be great! :)

gscott187 5th August 2009 14:39

SqurrelMail/fail2ban
 
Quote:

Originally Posted by falko (Post 200183)
A tutorial would be great! :)

There should be a tutorial in your email inbox awaiting your consideration.

rlischer 14th August 2009 01:49

Quote:

Originally Posted by gscott187 (Post 200094)
I've now sucessfully set-up fail2ban with SquirrelMail for ISPConfig3 on CentOS v5.3 using the Squirrel Logger plugin to limit the number of login attempts. If there's any interest in how to do this, I'll write it up and post it. Whilst the process is covered in a few Web places, there are some steps that could cause frustration :)

Let me know if there's any interest?

I am interested in your how-to on fail2ban and centos. Thanks

gscott187 14th August 2009 10:51

Location of SquirrelMail/Fail2ban tutorial
 
Here's the location of the published SquirrelMail/Fail2ban tutorial:

http://www.howtoforge.com/configurin....3-ispconfig-3


All times are GMT +2. The time now is 17:48.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.