Configuring fail2ban With SquirrelMail On CentOS 5.3/ISPConfig 3 - Page 2

4. Restarting fail2ban

A restart of the fail2ban daemon is required to load the changes made:

service fail2ban restart


5. Testing correct source address logging

cd /var/lib/squirrelmail/prefs
tail -f squirrelmail_access_log

Login to your SquirrelMail Web interface.

SquireelMail interface

In the operating system's terminal window, you will see the source address of the successful login appear in the open squirrelmail_access_log file:

08/03/2009 10:17:33 [LOGIN] [email protected] (localhost) from XXX.XXX.XX.XX:
08/03/2009 10:18:13 [LOGOUT] [email protected] (localhost) from XXX.XXX.XX.XX:

Exit your SquirrelMail session but leave the squirrelmail_access_log file open after seeing the correct source address.


6. Testing unauthorised logins

Log in a few times to the SquirrelMail Web interface using incorrect usernames and/or passwords. This will create error events in the squirrelmail_access_log file:

08/03/2009 10:37:35 [LOGIN_ERROR] u37458734 (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect.
08/03/2009 11:22:19 [LOGIN_ERROR] wetwetr (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect.
08/03/2009 11:22:30 [LOGIN_ERROR] 7846587435836 (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect.

Close the squirrelmail_access_log file:


Verify that fail2ban can trap these errors:

fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log /etc/fail2ban/filter.d/squirrelmail.conf
Running tests

Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf
Use log file   : /var/lib/squirrelmail/prefs/squirrelmail_access_log


|- Regular expressions:
|  [1] \[LOGIN_ERROR\].*from : Unknown user or password incorrect
`- Number of matches:
   [1] 14 match(es)

|- Regular expressions:
`- Number of matches:


Addresses found:
    XXX.XXX.XX.XX (Mon Aug 03 10:37:35 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:22:19 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:22:30 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:22:42 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:22:53 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:23:13 2009)
    XXX.XXX.XX.XX (Mon Aug 03 12:21:31 2009)
    XXX.XXX.XX.XX (Mon Aug 03 12:21:41 2009)
    XXX.XXX.XX.XX (Mon Aug 03 12:21:54 2009)
    XXX.XXX.XX.XX (Mon Aug 03 12:22:07 2009)
    XXX.XXX.XX.XX (Mon Aug 03 13:56:36 2009)
    XXX.XXX.XX.XX (Mon Aug 03 13:56:51 2009)
    XXX.XXX.XX.XX (Mon Aug 03 13:57:03 2009)
    XXX.XXX.XX.XX (Mon Aug 03 13:57:16 2009)

Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
38 hit(s): Month/Day/Year Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch

Success, the total number of match is 14

However, look at the above section 'Running tests' which could contain important

The output of fail2ban-regex above verifies that fail2ban is trapping error conditions.


7. Verify iptables extra chain

Iptables will create an extra input chain for SquirrelMail:

service iptables status

Near the top of the output you will see:

3    fail2ban-SquirrelMail  tcp  --             tcp dpt:80 

At the botton of the output you will see:

Chain fail2ban-SquirrelMail (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  

If all of the above tests have been passed, you can deploy fail2ban for SquirrelMail.

Share this page:

0 Comment(s)