SquirrelMail/imap/pop3 fail2ban IP address

Discussion in 'General' started by gscott187, Jul 31, 2009.

  1. gscott187

    gscott187 New Member

    I'm running ISPConfig3 on Centos 5.3 as per the installation instructions at this site. When configuring fail2ban for trapping SquirrelMail failed logins, I notice the following in /var/log/maillog:

    Jul 31 15:23:55 server_name imapd: LOGIN FAILED, user=45354, ip=[::ffff:127.0.0.1]
    Jul 31 15:24:04 server_name imapd: LOGIN FAILED, user=34566, ip=[::ffff:127.0.0.1]
    Jul 31 15:24:14 server_name imapd: LOGIN FAILED, user=56757, ip=[::ffff:127.0.0.1]
    Jul 31 15:24:26 server_name imapd: LOGIN FAILED, user=4566, ip=[::ffff:127.0.0.1]

    Each failed login generates an entry but with IP address 127.0.0.1 (localhost) and hence fail2ban cannot really action the iptables ban because there's no public IP address in the maillog file.

    Does anyone have any ideas how a real IP address might be captured to enable fail2ban to do it's stuff? fail2ban works well on the system for ssh and ftp but they use a different logfile.
     
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    This is ISPConfig's monitoring module, trying to find out if imapd is still running. Nothing to worry about. :)
     
  3. gscott187

    gscott187 New Member

    Thanks for your reply.

    I can confirm that imapd is still running. What I really wanted was to be able to ban (using fail2ban) repeated unsuccessful login attempts through SquirrelMail's Web interface. To be able to do this would involve knowing the real IP address. However, /var/log/maillog only contains IP address 127.0.0.1.
     
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Yes, because ISPConfig connects from localhost (127.0.0.1).
     
  5. gscott187

    gscott187 New Member

    fail2ban and SquirrelMail step by step instructions

    I've now sucessfully set-up fail2ban with SquirrelMail for ISPConfig3 on CentOS v5.3 using the Squirrel Logger plugin to limit the number of login attempts. If there's any interest in how to do this, I'll write it up and post it. Whilst the process is covered in a few Web places, there are some steps that could cause frustration :)

    Let me know if there's any interest?
     
  6. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    A tutorial would be great! :)
     
  7. gscott187

    gscott187 New Member

    SqurrelMail/fail2ban

    There should be a tutorial in your email inbox awaiting your consideration.
     
  8. rlischer

    rlischer Member HowtoForge Supporter

    I am interested in your how-to on fail2ban and centos. Thanks
     
  9. gscott187

    gscott187 New Member

Share This Page