4-squirrelmail

    # squirrelmail      [squirrelmail-iptables]      enabled  = true      filter   = squirrelmail      action   = iptables[name=SquirrelMail, port=http, protocol=tcp]       sendmail-whois[name=SquirrelMail,dest=root, sender=fail2ban@example.it]      # adjust logpath with Squirrelmail's squirrel_logger plugin log      logpath  = /var/log/squirrelmail.log      maxretry = 5

----------------------------

Using fail2ban for SquirrelMail attacks

For Debian Wheezy, you can use apt-get (or aptitude) to install the plugin:

apt-get install squirrelmail_logger

Now, edit its configuration file, /usr/share/squirrelmail/plugins/squirrel_logger/config.php, just to make sure the error logging is done.

It is pretty well self-documenting. Here are the things I'd make sure were uncommented.

$sl_log_events (line 41) LOGIN_ERROR  $sl_logs (line 126) LOGIN_ERROR  Make sure mail.log is a destination (I think that is a default)

Enable the plugin in Squirrelmail. Go to /etc/squirrelmail/ and execute the configuration program, conf.pl.

cd /etc/squirrelmail ./conf.pl

Choose option 8, Plugins

SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Main Menu -- 1.  Organization Preferences 2.  Server Settings 3.  Folder Defaults 4.  General Options 5.  Themes 6.  Address Books 7.  Message of the Day (MOTD) 8.  Plugins 9.  Database 10. Languages  D.  Set pre-defined settings for specific IMAP servers  C   Turn color on S   Save data Q   Quit Command >> 8

find squirrel_logger in the list of Available Plugins and enter its number to move it to Installed Plugins section.

SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Plugins   Installed Plugins    1. view_as_html    2. squirrel_logger    Available Plugins:     3. administrator     4. bug_report     5. calendar<  R   Return to Main Menu C   Turn color on S   Save data Q   Quit Command >> 

Be sure you save your changes with the 'S' command (it is not done by default), then quit with a 'Q'.

At this point, anytime someone fails a login attempt a line similar to the following will show up in mail.log.

Jul 25 22:55:10 myserver squirrelmail: Failed webmail login: by myUser (myserver.dailydata.net) at 24.238.204.15 on 07/26/2014 03:55:10: Unknown user or password incorrect.

So, we need a regular expression to match that, then create a conf file. Create the file/etc/fail2ban/filter.d/apache-squirrelmail.conf with the following contents:

# Fail2Ban configuration file for SquirrelMail # # Author: R. W. Rodolico #  [INCLUDES] before = common.conf

[Definition] failregex = Failed webmail login: by.*at <HOST>.*  ignoreregex =

Now, edit the jail file, /etc/fail2ban/jail.local and add the following

[apache-squirrelmail] enabled = true banaction = iptables-allports bantime = 300 port = all filter = apache-squirrelmail logpath = /var/log/mail.log maxretry = 6

This will block all access (web, mail, ssh) from the originating IP for 5 minutes (bantime=300) whenever 6 failed attempts are recorded in the default number of minutes (I think it is 5).

Note: I ended up putting in maxretry of 6 because Squirrelmail appearantly does multiple login attempts before it fails. So, using a lesser number can file  you out with only one attempt.

-########################################################

Select: Plugins

SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Plugins   Installed Plugins     1. delete_move_next     2. squirrelspell     3. newmail

  Available Plugins:     4. listcommands     5. fortune     6. filters     7. translate     8. abook_take     9. spamcop     10. squirrel_logger     11. mail_fetch     12. calendar     13. sent_subfolders     14. message_details     15. administrator     16. info     17. bug_report  R   Return to Main Menu C   Turn color on S   Save data Q   Quit  Command >> 

Select: squirrel_logger

SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Plugins   Installed Plugins     1. delete_move_next     2. squirrelspell     3. newmail     4. squirrel_logger

  Available Plugins:     5. listcommands     6. fortune     7. filters     8. translate     9. abook_take     10. spamcop     11. mail_fetch     12. calendar     13. sent_subfolders     14. message_details     15. administrator     16. info     17. bug_report  R   Return to Main Menu C   Turn color on S   Save data Q   Quit  Command >> 

Select: Save data, Quit

3. Fail2ban configuration

Change to the fail2ban configuration directory:

cd /etc/fail2ban

On the assumption that you are using http transport for SquirrelMail, use vi to add the following lines to the jail.conf file:

[squirrelmail-iptables] enabled  = true filter   = squirrelmail action   = iptables[name=SquirrelMail, port=http, protocol=tcp]            sendmail-whois[name=SquirrelMail, dest=you@your_domain.com, sender=fail2ban@your_domain.com] logpath  = /var/lib/squirrelmail/prefs/squirrelmail_access_log maxretry = 4

Ensure that maxretry and email addresses for dest and sender are set to your requirements.

Change to fail2ban filter directory:

cd filter.d

In the filter.d directory, use vi to create a squirrelmail.conf file with the following contents:

# Fail2Ban configuration file # # Author: Bill Landry ((email_protected)) # # $Revision: 510 $  [Definition]  # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The #         host must be matched by a group named "host". The tag "" can #         be used for standard IP/hostname matching and is only an alias for #         (?:::f{4,6}:)?(?P\S+) # Values: TEXT  failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect  # Option:  ignoreregex # Notes.:  regex to ignore. If this regex matches, the line is ignored. # Values:  TEXT  ignoreregex =

Fail2ban needs to recognise the date format used in the squirrelmail_access_log file.

cd /usr/share/fail2ban/server

Use vi, to edit the datedetector.py file and add the following lines between the Apache format and Exim formatsections:

# SquirrelMail 09/13/2007 06:43:20 template = DateStrptime() template.setName("Month/Day/Year Hour:Minute:Second") template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}") template.setPattern("%m/%d/%Y %H:%M:%S") self.__templates.append(template)