SquirrelMail/imap/pop3 fail2ban IP address

[gscott187]

I'm running ISPConfig3 on Centos 5.3 as per the installation instructions at this site. When configuring fail2ban for trapping SquirrelMail failed logins, I notice the following in /var/log/maillog:

Jul 31 15:23:55 server_name imapd: LOGIN FAILED, user=45354, ip=[::ffff:127.0.0.1]
Jul 31 15:24:04 server_name imapd: LOGIN FAILED, user=34566, ip=[::ffff:127.0.0.1]
Jul 31 15:24:14 server_name imapd: LOGIN FAILED, user=56757, ip=[::ffff:127.0.0.1]
Jul 31 15:24:26 server_name imapd: LOGIN FAILED, user=4566, ip=[::ffff:127.0.0.1]

Each failed login generates an entry but with IP address 127.0.0.1 (localhost) and hence fail2ban cannot really action the iptables ban because there's no public IP address in the maillog file.

Does anyone have any ideas how a real IP address might be captured to enable fail2ban to do it's stuff? fail2ban works well on the system for ssh and ftp but they use a different logfile.

[falko]

Quote:

Originally Posted by gscott187

Jul 31 15:23:55 server_name imapd: LOGIN FAILED, user=45354, ip=[::ffff:127.0.0.1]
Jul 31 15:24:04 server_name imapd: LOGIN FAILED, user=34566, ip=[::ffff:127.0.0.1]
Jul 31 15:24:14 server_name imapd: LOGIN FAILED, user=56757, ip=[::ffff:127.0.0.1]
Jul 31 15:24:26 server_name imapd: LOGIN FAILED, user=4566, ip=[::ffff:127.0.0.1]

This is ISPConfig's monitoring module, trying to find out if imapd is still running. Nothing to worry about.

[gscott187]

Quote:

Originally Posted by falko

This is ISPConfig's monitoring module, trying to find out if imapd is still running. Nothing to worry about.

Thanks for your reply.

I can confirm that imapd is still running. What I really wanted was to be able to ban (using fail2ban) repeated unsuccessful login attempts through SquirrelMail's Web interface. To be able to do this would involve knowing the real IP address. However, /var/log/maillog only contains IP address 127.0.0.1.

[falko]

Quote:

Originally Posted by gscott187

However, /var/log/maillog only contains IP address 127.0.0.1.

Yes, because ISPConfig connects from localhost (127.0.0.1).

[gscott187]

I've now sucessfully set-up fail2ban with SquirrelMail for ISPConfig3 on CentOS v5.3 using the Squirrel Logger plugin to limit the number of login attempts. If there's any interest in how to do this, I'll write it up and post it. Whilst the process is covered in a few Web places, there are some steps that could cause frustration

Let me know if there's any interest?

[falko]

A tutorial would be great!

[gscott187]

Quote:

Originally Posted by falko

A tutorial would be great!

There should be a tutorial in your email inbox awaiting your consideration.

[rlischer]

Quote:

Originally Posted by gscott187

I've now sucessfully set-up fail2ban with SquirrelMail for ISPConfig3 on CentOS v5.3 using the Squirrel Logger plugin to limit the number of login attempts. If there's any interest in how to do this, I'll write it up and post it. Whilst the process is covered in a few Web places, there are some steps that could cause frustration

Let me know if there's any interest?

I am interested in your how-to on fail2ban and centos. Thanks

[gscott187]

Here's the location of the published SquirrelMail/Fail2ban tutorial:

http://www.howtoforge.com/configurin....3-ispconfig-3