Configuring fail2ban With SquirrelMail On CentOS 5.3/ISPConfig 3 - Page 2
4. Restarting fail2ban
A restart of the fail2ban daemon is required to load the changes made:
service fail2ban restart
5. Testing correct source address logging
cd /var/lib/squirrelmail/prefs
tail -f squirrelmail_access_log
Login to your SquirrelMail Web interface.
In the operating system's terminal window, you will see the source address of the successful login appear in the open squirrelmail_access_log file:
08/03/2009 10:17:33 [LOGIN] [email protected] (localhost) from XXX.XXX.XX.XX: 08/03/2009 10:18:13 [LOGOUT] [email protected] (localhost) from XXX.XXX.XX.XX:
Exit your SquirrelMail session but leave the squirrelmail_access_log file open after seeing the correct source address.
6. Testing unauthorised logins
Log in a few times to the SquirrelMail Web interface using incorrect usernames and/or passwords. This will create error events in the squirrelmail_access_log file:
08/03/2009 10:37:35 [LOGIN_ERROR] u37458734 (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect. 08/03/2009 11:22:19 [LOGIN_ERROR] wetwetr (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect. 08/03/2009 11:22:30 [LOGIN_ERROR] 7846587435836 (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect.
Close the squirrelmail_access_log file:
Ctrl-c
Verify that fail2ban can trap these errors:
fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log /etc/fail2ban/filter.d/squirrelmail.conf
Running tests ============= Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf Use log file : /var/lib/squirrelmail/prefs/squirrelmail_access_log Results ======= Failregex |- Regular expressions: | [1] \[LOGIN_ERROR\].*from: Unknown user or password incorrect | `- Number of matches: [1] 14 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] XXX.XXX.XX.XX (Mon Aug 03 10:37:35 2009) XXX.XXX.XX.XX (Mon Aug 03 11:22:19 2009) XXX.XXX.XX.XX (Mon Aug 03 11:22:30 2009) XXX.XXX.XX.XX (Mon Aug 03 11:22:42 2009) XXX.XXX.XX.XX (Mon Aug 03 11:22:53 2009) XXX.XXX.XX.XX (Mon Aug 03 11:23:13 2009) XXX.XXX.XX.XX (Mon Aug 03 12:21:31 2009) XXX.XXX.XX.XX (Mon Aug 03 12:21:41 2009) XXX.XXX.XX.XX (Mon Aug 03 12:21:54 2009) XXX.XXX.XX.XX (Mon Aug 03 12:22:07 2009) XXX.XXX.XX.XX (Mon Aug 03 13:56:36 2009) XXX.XXX.XX.XX (Mon Aug 03 13:56:51 2009) XXX.XXX.XX.XX (Mon Aug 03 13:57:03 2009) XXX.XXX.XX.XX (Mon Aug 03 13:57:16 2009) Date template hits: 0 hit(s): Month Day Hour:Minute:Second 0 hit(s): Weekday Month Day Hour:Minute:Second Year 0 hit(s): Weekday Month Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year:Hour:Minute:Second 38 hit(s): Month/Day/Year Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond] 0 hit(s): TAI64N 0 hit(s): Epoch Success, the total number of match is 14 However, look at the above section 'Running tests' which could contain important information.
The output of fail2ban-regex above verifies that fail2ban is trapping error conditions.
7. Verify iptables extra chain
Iptables will create an extra input chain for SquirrelMail:
service iptables status
Near the top of the output you will see:
3 fail2ban-SquirrelMail tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
At the botton of the output you will see:
Chain fail2ban-SquirrelMail (1 references) num target prot opt source destination 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
If all of the above tests have been passed, you can deploy fail2ban for SquirrelMail.