You can configure fail2ban for Squirrelmail login attempts if you install the
squirrel_logger plugin into Squirrelmail.
Tune up the configuration files:
in my /etc/fail2ban/jail.conf
[squirrelmail-iptables]
enabled = true
filter = squirrelmail
action = iptables[name=SquirrelMail, port=http, protocol=tcp]
sendmail-whois[name=SquirrelMail,dest=root,
sender=fail2...@example.it]
logpath = /var/log/squirrelmail.log
maxretry = 5
Also, the squirrelmail.conf:
# Fail2Ban configuration file
#
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[LOGIN_ERROR\].*from <HOST>: Utente sconosciuto o password errata
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
*Warning:* the failregex value must match the line written in squirrelmail.log
(it's in italian language for me :-) )
For more info search for "squirrelmail fail2ban" in your preferred search
engine.
I hope it help.
Domenico Fortunato.
Il 08/12/2011 17.20, Dave ha scritto:
Hi Pak Ogah
Added those to the wiki.
FYI: in there you have
" Tune fail2ban to write IPs to /etc/fail2ban/ip.deny "
How did you do that?
Thanks
On 12/7/2011 8:51 PM, Pak Ogah wrote:
On 12/08/11 0:21, Dave wrote:
in my /etc/fail2ban/jail.local
[vpopmail]
enabled = true
port = pop3
filter = vpopmail
action = iptables[name=pop3, port=pop3, protocol=tcp]
sendmailwhois[name=pop3,dest=y...@email.domain, sender=em...@adr]
logpath = /var/log/maillog
maxretry = 3
bantime = -1
Also, the vpomail.conf:
# Fail2Ban configuration file
# Author: Christoph Haas
# Modified by: Ole Johansen - CDS
# $Revision: 510 $
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
Hop it help.
Dave,
Could you mind add this fail2ban rule on
http://wiki.qmailtoaster.com/index.php/Fail2Ban
if your rule is not listed there. so it can secure other qmt box as well
I am still confuse regarding fail2ban rule and config.
