Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

Configuring fail2ban With SquirrelMail On CentOS 5.3/ISPConfig 3


Introduction

This tutorial shows how you can prevent unlimited login attempts and hence brute force attacks against your SquirrelMail Web login by using fail2ban.

 

1. Requirements

Ensure that both fail2ban and SquirrelMail are installed on a CentOS v5.3/ISPConfig 3 machine detailed here.

However, their installation is straight forward:

yum install fail2ban squirrelmail

You must be actively using iptables as your firewall. Fail2ban works by creating a temporary drop rule for the unauthorised source IP address.

 

2. SquirrelMail logging configuration

SquirrelMail (imapd) under CentOS v5.3/ISPConfig 3 by default logs to /var/log/maillog but only as IP address 127.0.0.1 (localhost). Since we are trying to ban a specific source address, fail2ban cannot use this file. Therefore, we install and use Squirrel Logger to capture the real source address of the login attempt.

Download and install Squirrel Logger:

cd /usr/share/squirrelmail/plugins
wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3-1.2.7.tar.gz
tar zxvf squirrel_logger-2.3-1.2.7.tar.gz
cd squirrel_logger-2.3-1.2.7
cp config_example.php config.php

Whilst this plugin was the latest version of Squirrel Logger, if there has been a revision upgrade then download it directly from the SquirrelMail Plugins site here.

If your machine uses a local time that is not GMT, use vi to change: $sl_use_GMT = 1 to $sl_use_GMT = 0 in config.php:

Original config.php:

...
// Log dates in GMT?  If you do not do this, dates will
// be logged in whatever timezone each user is in (or
// has set in their personal preferences)
//
//    1 = yes
//    0 = no
//
$sl_use_GMT = 1;
...

Modified config.php:

...
// Log dates in GMT?  If you do not do this, dates will
// be logged in whatever timezone each user is in (or
// has set in their personal preferences)
//
//    1 = yes
//    0 = no
//
$sl_use_GMT = 0;
...

Delete the downloaded Squirrel Logger gzip file:

cd /usr/share/squirrelmail/plugins
rm squirrel_logger-2.3-1.2.7.tar.gz

Configure SquirrelMail to use the Squirrel Logger plugin:

/usr/share/squirrelmail/config/conf.pl

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >>

Select: Plugins

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
  Installed Plugins
    1. delete_move_next
    2. squirrelspell
    3. newmail
  Available Plugins:
    4. listcommands
    5. fortune
    6. filters
    7. translate
    8. abook_take
    9. spamcop
    10. squirrel_logger
    11. mail_fetch
    12. calendar
    13. sent_subfolders
    14. message_details
    15. administrator
    16. info
    17. bug_report

R   Return to Main Menu
C   Turn color on
S   Save data
Q   Quit

Command >> 

Select: squirrel_logger

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
  Installed Plugins
    1. delete_move_next
    2. squirrelspell
    3. newmail
    4. squirrel_logger
  Available Plugins:
    5. listcommands
    6. fortune
    7. filters
    8. translate
    9. abook_take
    10. spamcop
    11. mail_fetch
    12. calendar
    13. sent_subfolders
    14. message_details
    15. administrator
    16. info
    17. bug_report

R   Return to Main Menu
C   Turn color on
S   Save data
Q   Quit

Command >> 

Select: Save data, Quit

3. Fail2ban configuration

Change to the fail2ban configuration directory:

cd /etc/fail2ban

On the assumption that you are using http transport for SquirrelMail, use vi to add the following lines to the jail.conf file:

[squirrelmail-iptables]
enabled  = true
filter   = squirrelmail
action   = iptables[name=SquirrelMail, port=http, protocol=tcp]
           sendmail-whois[name=SquirrelMail, dest=you@your_domain.com, sender=fail2ban@your_domain.com]
logpath  = /var/lib/squirrelmail/prefs/squirrelmail_access_log
maxretry = 4

Ensure that maxretry and email addresses for dest and sender are set to your requirements.

Change to fail2ban filter directory:

cd filter.d

In the filter.d directory, use vi to create a squirrelmail.conf file with the following contents:

# Fail2Ban configuration file
#
# Author: Bill Landry ((email_protected))
#
# $Revision: 510 $

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#         host must be matched by a group named "host". The tag "" can
#         be used for standard IP/hostname matching and is only an alias for
#         (?:::f{4,6}:)?(?P\S+)
# Values: TEXT

failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT

ignoreregex =

Fail2ban needs to recognise the date format used in the squirrelmail_access_log file.

cd /usr/share/fail2ban/server

Use vi, to edit the datedetector.py file and add the following lines between the Apache format and Exim format sections:

# SquirrelMail 09/13/2007 06:43:20
template = DateStrptime()
template.setName("Month/Day/Year Hour:Minute:Second")
template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}")
template.setPattern("%m/%d/%Y %H:%M:%S")
self.__templates.append(template)

4. Restarting fail2ban

A restart of the fail2ban daemon is required to load the changes made:

service fail2ban restart

 

5. Testing correct source address logging

cd /var/lib/squirrelmail/prefs
tail -f squirrelmail_access_log

Login to your SquirrelMail Web interface.

Squirrel

In the operating system’s terminal window, you will see the source address of the successful login appear in the open squirrelmail_access_log file:

08/03/2009 10:17:33 [LOGIN] me@mydomain.com (localhost) from XXX.XXX.XX.XX:
08/03/2009 10:18:13 [LOGOUT] me@mydomain.com (localhost) from XXX.XXX.XX.XX:

Exit your SquirrelMail session but leave the squirrelmail_access_log file open after seeing the correct source address.

 

6. Testing unauthorised logins

Log in a few times to the SquirrelMail Web interface using incorrect usernames and/or passwords. This will create error events in the squirrelmail_access_log file:

08/03/2009 10:37:35 [LOGIN_ERROR] u37458734 (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect.
08/03/2009 11:22:19 [LOGIN_ERROR] wetwetr (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect.
08/03/2009 11:22:30 [LOGIN_ERROR] 7846587435836 (localhost) from XXX.XXX.XX.XX: Unknown user or password incorrect.

Close the squirrelmail_access_log file:

Ctrl-c

Verify that fail2ban can trap these errors:

fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail_access_log /etc/fail2ban/filter.d/squirrelmail.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf
Use log file   : /var/lib/squirrelmail/prefs/squirrelmail_access_log


Results
=======

Failregex
|- Regular expressions:
|  [1] \[LOGIN_ERROR\].*from : Unknown user or password incorrect
|
`- Number of matches:
   [1] 14 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    XXX.XXX.XX.XX (Mon Aug 03 10:37:35 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:22:19 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:22:30 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:22:42 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:22:53 2009)
    XXX.XXX.XX.XX (Mon Aug 03 11:23:13 2009)
    XXX.XXX.XX.XX (Mon Aug 03 12:21:31 2009)
    XXX.XXX.XX.XX (Mon Aug 03 12:21:41 2009)
    XXX.XXX.XX.XX (Mon Aug 03 12:21:54 2009)
    XXX.XXX.XX.XX (Mon Aug 03 12:22:07 2009)
    XXX.XXX.XX.XX (Mon Aug 03 13:56:36 2009)
    XXX.XXX.XX.XX (Mon Aug 03 13:56:51 2009)
    XXX.XXX.XX.XX (Mon Aug 03 13:57:03 2009)
    XXX.XXX.XX.XX (Mon Aug 03 13:57:16 2009)

Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
38 hit(s): Month/Day/Year Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch

Success, the total number of match is 14

However, look at the above section 'Running tests' which could contain important
information.

The output of fail2ban-regex above verifies that fail2ban is trapping error conditions.

7. Verify iptables extra chain

Iptables will create an extra input chain for SquirrelMail:

service iptables status

Near the top of the output you will see:

3    fail2ban-SquirrelMail  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

At the botton of the output you will see:

Chain fail2ban-SquirrelMail (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0

If all of the above tests have been passed, you can deploy fail2ban for SquirrelMail.

Comments

comments