Configuring fail2ban With SquirrelMail On CentOS 5.3/ISPConfig 3
Introduction
This tutorial shows how you can prevent unlimited login attempts and hence brute force attacks against your SquirrelMail Web login by using fail2ban.
1. Requirements
Ensure that both fail2ban and SquirrelMail are installed on a CentOS v5.3/ISPConfig 3 machine detailed here.
However, their installation is straight forward:
yum install fail2ban squirrelmail
You must be actively using iptables as your firewall. Fail2ban works by creating a temporary drop rule for the unauthorised source IP address.
2. SquirrelMail logging configuration
SquirrelMail (imapd) under CentOS v5.3/ISPConfig 3 by default logs to /var/log/maillog but only as IP address 127.0.0.1 (localhost). Since we are trying to ban a specific source address, fail2ban cannot use this file. Therefore, we install and use Squirrel Logger to capture the real source address of the login attempt.
Download and install Squirrel Logger:
cd /usr/share/squirrelmail/plugins
wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3-1.2.7.tar.gz
tar zxvf squirrel_logger-2.3-1.2.7.tar.gz
cd squirrel_logger-2.3-1.2.7
cp config_example.php config.php
Whilst this plugin was the latest version of Squirrel Logger, if there has been a revision upgrade then download it directly from the SquirrelMail Plugins site here.
If your machine uses a local time that is not GMT, use vi to change: $sl_use_GMT = 1 to $sl_use_GMT = 0 in config.php:
Original config.php:
... // Log dates in GMT? If you do not do this, dates will // be logged in whatever timezone each user is in (or // has set in their personal preferences) // // 1 = yes // 0 = no // $sl_use_GMT = 1; ...
Modified config.php:
... // Log dates in GMT? If you do not do this, dates will // be logged in whatever timezone each user is in (or // has set in their personal preferences) // // 1 = yes // 0 = no // $sl_use_GMT = 0; ...
Delete the downloaded Squirrel Logger gzip file:
cd /usr/share/squirrelmail/plugins
rm squirrel_logger-2.3-1.2.7.tar.gz
Configure SquirrelMail to use the Squirrel Logger plugin:
/usr/share/squirrelmail/config/conf.pl
SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Main Menu -- 1. Organization Preferences 2. Server Settings 3. Folder Defaults 4. General Options 5. Themes 6. Address Books 7. Message of the Day (MOTD) 8. Plugins 9. Database 10. Languages D. Set pre-defined settings for specific IMAP servers C Turn color on S Save data Q Quit Command >>
Select: Plugins
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
Available Plugins:
4. listcommands
5. fortune
6. filters
7. translate
8. abook_take
9. spamcop
10. squirrel_logger
11. mail_fetch
12. calendar
13. sent_subfolders
14. message_details
15. administrator
16. info
17. bug_report
R Return to Main Menu
C Turn color on
S Save data
Q Quit
Command >>
Select: squirrel_logger
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
4. squirrel_logger
Available Plugins:
5. listcommands
6. fortune
7. filters
8. translate
9. abook_take
10. spamcop
11. mail_fetch
12. calendar
13. sent_subfolders
14. message_details
15. administrator
16. info
17. bug_report
R Return to Main Menu
C Turn color on
S Save data
Q Quit
Command >>
Select: Save data, Quit
3. Fail2ban configuration
Change to the fail2ban configuration directory:
cd /etc/fail2ban
On the assumption that you are using http transport for SquirrelMail, use vi to add the following lines to the jail.conf file:
[squirrelmail-iptables]
enabled = true
filter = squirrelmail
action = iptables[name=SquirrelMail, port=http, protocol=tcp]
sendmail-whois[name=SquirrelMail, dest=you@your_domain.com, sender=fail2ban@your_domain.com]
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
maxretry = 4
Ensure that maxretry and email addresses for dest and sender are set to your requirements.
Change to fail2ban filter directory:
cd filter.d
In the filter.d directory, use vi to create a squirrelmail.conf file with the following contents:
# Fail2Ban configuration file
#
# Author: Bill Landry ((email_protected))
#
# $Revision: 510 $
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
Fail2ban needs to recognise the date format used in the squirrelmail_access_log file.
cd /usr/share/fail2ban/server
Use vi, to edit the datedetector.py file and add the following lines between the Apache format and Exim format sections:
# SquirrelMail 09/13/2007 06:43:20
template = DateStrptime()
template.setName("Month/Day/Year Hour:Minute:Second")
template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}")
template.setPattern("%m/%d/%Y %H:%M:%S")
self.__templates.append(template)