Configuring fail2ban With SquirrelMail On CentOS 5.3/ISPConfig 3
Introduction
This tutorial shows how you can prevent unlimited login attempts and hence brute force attacks against your SquirrelMail Web login by using fail2ban.
1. Requirements
Ensure that both fail2ban and SquirrelMail are installed on a CentOS v5.3/ISPConfig 3 machine detailed here.
However, their installation is straight forward:
yum install fail2ban squirrelmail
You must be actively using iptables as your firewall. Fail2ban works by creating a temporary drop rule for the unauthorised source IP address.
2. SquirrelMail logging configuration
SquirrelMail (imapd) under CentOS v5.3/ISPConfig 3 by default logs to /var/log/maillog but only as IP address 127.0.0.1 (localhost). Since we are trying to ban a specific source address, fail2ban cannot use this file. Therefore, we install and use Squirrel Logger to capture the real source address of the login attempt.
Download and install Squirrel Logger:
cd /usr/share/squirrelmail/plugins
wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3-1.2.7.tar.gz
tar zxvf squirrel_logger-2.3-1.2.7.tar.gz
cd squirrel_logger-2.3-1.2.7
cp config_example.php config.php
Whilst this plugin was the latest version of Squirrel Logger, if there has been a revision upgrade then download it directly from the SquirrelMail Plugins site here.
If your machine uses a local time that is not GMT, use vi to change: $sl_use_GMT = 1 to $sl_use_GMT = 0 in config.php:
Original config.php:
... // Log dates in GMT? If you do not do this, dates will // be logged in whatever timezone each user is in (or // has set in their personal preferences) // // 1 = yes // 0 = no // $sl_use_GMT = 1; ...
Modified config.php:
... // Log dates in GMT? If you do not do this, dates will // be logged in whatever timezone each user is in (or // has set in their personal preferences) // // 1 = yes // 0 = no // $sl_use_GMT = 0; ...
Delete the downloaded Squirrel Logger gzip file:
cd /usr/share/squirrelmail/plugins
rm squirrel_logger-2.3-1.2.7.tar.gz
Configure SquirrelMail to use the Squirrel Logger plugin:
/usr/share/squirrelmail/config/conf.pl
SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Main Menu -- 1. Organization Preferences 2. Server Settings 3. Folder Defaults 4. General Options 5. Themes 6. Address Books 7. Message of the Day (MOTD) 8. Plugins 9. Database 10. Languages D. Set pre-defined settings for specific IMAP servers C Turn color on S Save data Q Quit Command >>
Select: Plugins
SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Plugins Installed Plugins 1. delete_move_next 2. squirrelspell 3. newmail
Available Plugins: 4. listcommands 5. fortune 6. filters 7. translate 8. abook_take 9. spamcop 10. squirrel_logger 11. mail_fetch 12. calendar 13. sent_subfolders 14. message_details 15. administrator 16. info 17. bug_report R Return to Main Menu C Turn color on S Save data Q Quit Command >>
Select: squirrel_logger
SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Plugins Installed Plugins 1. delete_move_next 2. squirrelspell 3. newmail 4. squirrel_logger
Available Plugins: 5. listcommands 6. fortune 7. filters 8. translate 9. abook_take 10. spamcop 11. mail_fetch 12. calendar 13. sent_subfolders 14. message_details 15. administrator 16. info 17. bug_report R Return to Main Menu C Turn color on S Save data Q Quit Command >>
Select: Save data, Quit
3. Fail2ban configuration
Change to the fail2ban configuration directory:
cd /etc/fail2ban
On the assumption that you are using http transport for SquirrelMail, use vi to add the following lines to the jail.conf file:
[squirrelmail-iptables] enabled = true filter = squirrelmail action = iptables[name=SquirrelMail, port=http, protocol=tcp] sendmail-whois[name=SquirrelMail, dest=you@your_domain.com, sender=fail2ban@your_domain.com] logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log maxretry = 4
Ensure that maxretry and email addresses for dest and sender are set to your requirements.
Change to fail2ban filter directory:
cd filter.d
In the filter.d directory, use vi to create a squirrelmail.conf file with the following contents:
# Fail2Ban configuration file # # Author: Bill Landry ((email_protected)) # # $Revision: 510 $ [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P \S+) # Values: TEXT failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex =
Fail2ban needs to recognise the date format used in the squirrelmail_access_log file.
cd /usr/share/fail2ban/server
Use vi, to edit the datedetector.py file and add the following lines between the Apache format and Exim format sections:
# SquirrelMail 09/13/2007 06:43:20 template = DateStrptime() template.setName("Month/Day/Year Hour:Minute:Second") template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}") template.setPattern("%m/%d/%Y %H:%M:%S") self.__templates.append(template)