Configuring fail2ban With SquirrelMail On Debian Lenny 5.0/ISPConfig 3
In this article I will show how to prevent brute force attacks with Fail2ban against your SquirrelMail Web login using the Squirrel Logger plugin.
1. Requirements
Ensure that fail2ban and SquirrelMail are installed on a Debian Lenny/ISPConfig 3 machine.
To install ISPConfig 3 + SquirrelMail, please folow this guide.
To install fail2ban, please folow this guide.
2. Squirrel Logger
Download and install Squirrel Logger:
cd /usr/share/squirrelmail/plugins
wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3-1.2.7.tar.gz
tar zxvf squirrel_logger-2.3-1.2.7.tar.gz
cd squirrel_logger
cp config_example.php config.php
Configure Squirrel Logger:
vi config.php
If your server doesn't use the GTM local time, please change $sl_use_GMT = 1 to $sl_use_GMT = 0 :
...
// Log dates in GMT? If you do not do this, dates will
// be logged in whatever timezone each user is in (or
// has set in their personal preferences)
//
// 1 = yes
// 0 = no
//
$sl_use_GMT = 0;
...
Change the location of your log file from $sl_logfile = $data_dir . 'squirrelmail_access_log'; to $sl_logfile = '/var/log/squirrelmail.log'; :
...
// The location of your log file when logging to file.
// Make sure the user your webserver runs as can write
// to this file. Use the $data_dir variable if you
// want to place the log file in the SquirrelMail data
// directory.
//
// Only applicable when $sl_logs includes "file".
//
// $sl_logfile = $data_dir . 'squirrelmail_access_log';
$sl_logfile = '/var/log/squirrelmail.log';
...
Change the date format to match the fail2ban regex from $sl_dateformat = 'm/d/Y H:i:s'; to $sl_dateformat = 'M j H:i:s'; :
...
// Specify what date format you want
//
// See the PHP manual for the date function for help
// at http://www.php.net/manual/function.date.php
//
// examples:
//
// 'm/d/y H:i:s' == 03/10/2001 05:16:08
// 'F j, Y, g:i a' == March 10, 2001, 5:16 am
// 'D M j Y H:i:s T' == Sat Mar 10 2001 15:16:08 CDT
//
// $sl_dateformat = 'm/d/Y H:i:s';
$sl_dateformat = 'M j H:i:s';
...
Create a new squirrelmail.log file in /var/log/:
touch /var/log/squirrelmail.log
chown www-data:www-data /var/log/squirrelmail.log
chmod 640 /var/log/squirrelmail.log
Clean the installation:
cd ..
rm squirrel_logger-2.3-1.2.7.tar.gz
Configure SquirrelMail to use the Squirrel Logger plugin:
squirrelmail-configure
...
7. Message of the Day (MOTD)
8. Plugins
9. Database
...
Select "Plugins", in my case, number 8.
...
18. spamcop
19. squirrel_logger
20. squirrelspell
21. test
...
Select squirrel_logger, in my case, number 19.
...
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
4. squirrel_logger
...
Now squirrel_logger is part of the Installed Plugins.
Save data "S" and Quit "Q".
3. Fail2ban Configuration
Configure fail2ban to use the SquirrelMail Log:
cd /etc/fail2ban
Open and add the following lines to the jail.local file. If you don't have this file, use the default jail.conf.
vi jail.local
[squirrelmail]
enabled = true
port = http,https
filter = squirrelmail
logpath = /var/log/squirrelmail.log
bantime = 300
maxretry = 4
Please ensure that bantime (in seconds) and maxretry are set to your requirements.
In the filter.d directory, create a squirrelmail.conf file with the following contents:
cd filter.d
vi squirrelmail.conf
# Fail2Ban configuration file
#
# Author: Bill Landry ((email_protected))
#
# $Revision: 510 $
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
IMPORTANT: if you are using another language than English, please change the line "failregex" with the text that squirrelmail.log shows you in point 5.
Example: with the Spanish language, I get this in the log file.
Aug 20 15:26:06 [LOGIN_ERROR] [email protected] (server.domain.com) from XXX.XXX.XX.XX: Usuario o contraseña incorrecto.
So, I make this change:
failregex = \[LOGIN_ERROR\].*from <HOST>: Usuario o contraseña incorrecto
...and restart fail2ban.
/etc/init.d/fail2ban restart
5. Testing the installation
cd /var/log
tail -f squirrelmail.log
Log in "3" times to the SquirrelMail Web interface using "incorrect passwords".
This procedure shows you the failed login attempts in terminal windows:
Aug 19 13:57:20 [LOGIN_ERROR] [email protected] (server.domain.com) from XXX.XXX.XX.XX: Unknown user or password incorrect.
Aug 19 13:57:34 [LOGIN_ERROR] [email protected] (server.domain.com) from XXX.XXX.XX.XX: Unknown user or password incorrect.
Aug 19 13:57:46 [LOGIN_ERROR] [email protected] (server.domain.com) from XXX.XXX.XX.XX: Unknown user or password incorrect.
Close the squirrelmail.log file:
Ctrl-c
Verify that fail2ban-regex can trap these errors:
fail2ban-regex /var/log/squirrelmail.log /etc/fail2ban/filter.d/squirrelmail.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf
Use log file : /var/log/squirrelmail.log
Results
=======
Failregex
|- Regular expressions:
| [1] \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect
|
`- Number of matches:
[1] 3 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
200.113.105.235 (Wed Aug 19 13:57:20 2009)
200.113.105.235 (Wed Aug 19 13:57:34 2009)
200.113.105.235 (Wed Aug 19 13:57:46 2009)
Date template hits:
3 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
Success, the total number of match is 3
However, look at the above section 'Running tests' which could contain important
information.
If you see this line, everything is ok: Success, the total number of match is 3
6. Let's test our Fail2ban
Log in "4" times (or more, depending of your maxretry setup) to the SquirrelMail Web interface using "incorrect passwords".
When you get blocked, that means that you can't see the login page, please execute:
iptables -L
Now you can see your blocked IP xxx-xxx-xxx-xxx in the iptables output.
Chain fail2ban-squirrelmail (1 references)
target prot opt source destination
DROP all -- xxx-xxx-xxx-xxx.your.isp.info anywhere
RETURN all -- anywhere anywhere
Good luck ;)