4-squirrelmail
# squirrelmail [squirrelmail-iptables] enabled = true filter = squirrelmail action = iptables[name=SquirrelMail, port=http, protocol=tcp] sendmail-whois[name=SquirrelMail,dest=root, sender=fail2ban@example.it] # adjust logpath with Squirrelmail's squirrel_logger plugin log logpath = /var/log/squirrelmail.log maxretry = 5
----------------------------
Using fail2ban for SquirrelMail attacks
For Debian Wheezy, you can use apt-get (or aptitude) to install the plugin:
apt-get install squirrelmail_logger
Now, edit its configuration file, /usr/share/squirrelmail/plugins/squirrel_logger/config.php, just to make sure the error logging is done.
It is pretty well self-documenting. Here are the things I'd make sure were uncommented.
$sl_log_events (line 41) LOGIN_ERROR $sl_logs (line 126) LOGIN_ERROR Make sure mail.log is a destination (I think that is a default)
Enable the plugin in Squirrelmail. Go to /etc/squirrelmail/ and execute the configuration program, conf.pl.
cd /etc/squirrelmail ./conf.pl
Choose option 8, Plugins
SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Main Menu -- 1. Organization Preferences 2. Server Settings 3. Folder Defaults 4. General Options 5. Themes 6. Address Books 7. Message of the Day (MOTD) 8. Plugins 9. Database 10. Languages D. Set pre-defined settings for specific IMAP servers C Turn color on S Save data Q Quit Command >> 8
find squirrel_logger in the list of Available Plugins and enter its number to move it to Installed Plugins section.
SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Plugins Installed Plugins 1. view_as_html 2. squirrel_logger Available Plugins: 3. administrator 4. bug_report 5. calendar< R Return to Main Menu C Turn color on S Save data Q Quit Command >>
Be sure you save your changes with the 'S' command (it is not done by default), then quit with a 'Q'.
At this point, anytime someone fails a login attempt a line similar to the following will show up in mail.log.
Jul 25 22:55:10 myserver squirrelmail: Failed webmail login: by myUser (myserver.dailydata.net) at 24.238.204.15 on 07/26/2014 03:55:10: Unknown user or password incorrect.
So, we need a regular expression to match that, then create a conf file. Create the file/etc/fail2ban/filter.d/apache-squirrelmail.conf with the following contents:
# Fail2Ban configuration file for SquirrelMail # # Author: R. W. Rodolico # [INCLUDES] before = common.conf
[Definition] failregex = Failed webmail login: by.*at <HOST>.* ignoreregex =
Now, edit the jail file, /etc/fail2ban/jail.local and add the following
[apache-squirrelmail] enabled = true banaction = iptables-allports bantime = 300 port = all filter = apache-squirrelmail logpath = /var/log/mail.log maxretry = 6
This will block all access (web, mail, ssh) from the originating IP for 5 minutes (bantime=300) whenever 6 failed attempts are recorded in the default number of minutes (I think it is 5).
Note: I ended up putting in maxretry of 6 because Squirrelmail appearantly does multiple login attempts before it fails. So, using a lesser number can file you out with only one attempt.
-########################################################
Select: Plugins
SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Plugins Installed Plugins 1. delete_move_next 2. squirrelspell 3. newmail
Available Plugins: 4. listcommands 5. fortune 6. filters 7. translate 8. abook_take 9. spamcop 10. squirrel_logger 11. mail_fetch 12. calendar 13. sent_subfolders 14. message_details 15. administrator 16. info 17. bug_report R Return to Main Menu C Turn color on S Save data Q Quit Command >>
Select: squirrel_logger
SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Plugins Installed Plugins 1. delete_move_next 2. squirrelspell 3. newmail 4. squirrel_logger
Available Plugins: 5. listcommands 6. fortune 7. filters 8. translate 9. abook_take 10. spamcop 11. mail_fetch 12. calendar 13. sent_subfolders 14. message_details 15. administrator 16. info 17. bug_report R Return to Main Menu C Turn color on S Save data Q Quit Command >>
Select: Save data, Quit
3. Fail2ban configuration
Change to the fail2ban configuration directory:
cd /etc/fail2ban
On the assumption that you are using http transport for SquirrelMail, use vi to add the following lines to the jail.conf file:
[squirrelmail-iptables] enabled = true filter = squirrelmail action = iptables[name=SquirrelMail, port=http, protocol=tcp] sendmail-whois[name=SquirrelMail, dest=you@your_domain.com, sender=fail2ban@your_domain.com] logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log maxretry = 4
Ensure that maxretry and email addresses for dest and sender are set to your requirements.
Change to fail2ban filter directory:
cd filter.d
In the filter.d directory, use vi to create a squirrelmail.conf file with the following contents:
# Fail2Ban configuration file # # Author: Bill Landry ((email_protected)) # # $Revision: 510 $ [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P\S+) # Values: TEXT failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex =
Fail2ban needs to recognise the date format used in the squirrelmail_access_log file.
cd /usr/share/fail2ban/server
Use vi, to edit the datedetector.py file and add the following lines between the Apache format and Exim formatsections:
# SquirrelMail 09/13/2007 06:43:20 template = DateStrptime() template.setName("Month/Day/Year Hour:Minute:Second") template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}") template.setPattern("%m/%d/%Y %H:%M:%S") self.__templates.append(template)