Comments on Configuring fail2ban With SquirrelMail On Debian Lenny 5.0/ISPConfig 3

Configuring fail2ban With SquirrelMail On Debian Lenny 5.0/ISPConfig 3 In this article I will show how to prevent brute force attacks with Fail2ban against your SquirrelMail Web login using the Squirrel Logger plugin.

3 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Don Hill

Really appreciate the tutorial. I had just redirected my email server to the new box and watched as someone tried to bruteforce squirrelmail within 5 minutes of getting it running *sigh*

Problem solved now.

By: Linuxnetzer

This is an awesome howto and it worked "out of the box". You are in for my "This-is-how-a-tutorial-should-be-AWARD". Cheers!

By: Exeter

In some cases squirrel_logger fails to log on 12.04 (like my case), leaving you without this protection. So why not just use fail2ban's native filters?

I've searched the web for a solution and didn't find any, so here is mine:

 - Disable squirrel_logger (squirrelmail-configure - plugins - remove squirrel_logger - save - quit)

 - Edit the squirrelmail section in /etc/fail2ban/jail.local and change the log path to:

 logpath = /var/log/syslog

 - Edit /etc/fail2ban/filter.d/squirrelmail.conf and change the default failregex to this:

 failregex =  squirrelmail: Failed .*at <HOST>
(this includes invalid users, blank logins, incorrect passwords etc.)
 
 - Restart the fail2ban service:

# service fail2ban restart


To check after some failed logins:

 # fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/squirrelmail.conf

 Running tests

=============

Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf

Use log file   : /var/log/syslog

Results

=======

Failregex

|- Regular expressions:

|  [1] squirrelmail: Failed .*at <HOST>

|

`- Number of matches:

   [1] 39 match(es)

Ignoreregex

|- Regular expressions:

|

`- Number of matches:

Success, the total number of match is 39