Comments on Configuring fail2ban With SquirrelMail On Debian Lenny 5.0/ISPConfig 3
Configuring fail2ban With SquirrelMail On Debian Lenny 5.0/ISPConfig 3 In this article I will show how to prevent brute force attacks with Fail2ban against your SquirrelMail Web login using the Squirrel Logger plugin.
3 Comment(s)
Comments
Really appreciate the tutorial. I had just redirected my email server to the new box and watched as someone tried to bruteforce squirrelmail within 5 minutes of getting it running *sigh*
Problem solved now.
This is an awesome howto and it worked "out of the box". You are in for my "This-is-how-a-tutorial-should-be-AWARD". Cheers!
I've searched the web for a solution and didn't find any, so here is mine:
- Disable squirrel_logger (squirrelmail-configure - plugins - remove squirrel_logger - save - quit)
- Edit the squirrelmail section in /etc/fail2ban/jail.local and change the log path to:
logpath = /var/log/syslog
- Edit /etc/fail2ban/filter.d/squirrelmail.conf and change the default failregex to this:
- Restart the fail2ban service:failregex = squirrelmail: Failed .*at <HOST>(this includes invalid users, blank logins, incorrect passwords etc.)
# service fail2ban restart
To check after some failed logins:
# fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/squirrelmail.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf
Use log file : /var/log/syslog
Results
=======
Failregex
|- Regular expressions:
| [1] squirrelmail: Failed .*at <HOST>
|
`- Number of matches:
[1] 39 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches: