Paul Lesniewski wrote the following on 9/17/2007 9:09 PM -0800:
> On 9/17/07, Edward Francis Klimowicz <edwardk@xxxxxxxxxxxx> wrote:
>
>> Bill Landry wrote:
>>
>>> If anyone is using the squirrel_logger plugin and also uses fail2ban and
>>> would like to be able to monitor the failed login attempts listed in the
>>> squirrelmail log, let me know and I will send you the entries need for
>>> jail.conf, squirrelmail.conf, and the date format addition that needs to
>>> be made to datedetector.py.
>>>
>> Why don't you just send it to the list anyway, since then it'll be available
>> in the list archive and hopefully indexed in a search engine long after you or
>> your e-mail address is gone?
>>
>
> Well-stated. It might also be something that can be included in the
> next plugin release.
>
>
>> I was just messing around with fail2ban this weekend, and would be interested
>> in this.
>>
I've attached the fail2ban config settings for tracking failed login
attempts when using the squirrel_logger plugin. Paul, feel free to add
the info wherever you'd like. I use fail2ban to monitor failed login
attempts to sshd, vsftpd, and now squirrelmail. I currently have
fail2ban set to ban the source IP address in iptables for 1 hour after 5
failed attempts (this is configurable), and it works very well.
Let me know if you have any questions.
Bill
These are basic instruction for setting up fail2ban to monitor the
logfile entries created by SquirrelMail's squirrel_logger plugin.
Add the following to ~/fail2ban/jail.conf (set to http if not using
https, or use "iptables-multiport[port="http,https"]" if using both,
also be sure to set the correct log path and filename for your setup):
===============================================
[squirrelmail-iptables]
enabled = true
filter = squirrelmail
action = iptables[name=SquirrelMail, port=https, protocol=tcp]
sendmail-whois[name=SquirrelMail, dest=someone@xxxxxxxxxxx, sender=root@xxxxxxxxxxx]
logpath = /var/lib/squirrelmail/prefs/squirrelmail.log
maxretry = 5
bantime = 3600
===============================================
Create a file called squirrelmail.conf and add the following (this
file needs to be placed in the ~/fail2ban/filter.d subdirectory:
===============================================
# Fail2Ban configuration file
#
# Author: Bill Landry (bill@xxxxxxxxxxx)
#
# $Revision: 510 $
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
===============================================
In order to fail2ban to recognize the date format used in the squirrelmail.log
file, add the following to the ~/fail2ban/server/datedetector.py file:
===============================================
# SquirreMail 09/13/2007 06:43:20
template = DateStrptime()
template.setName("Month/Day/Year Hour:Minute:Second")
template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}")
template.setPattern("%m/%d/%Y %H:%M:%S")
self.__templates.append(template)
===============================================
Do a search for "Apache" or "Exim" in the datedetector.py file to find the
section of the file to add the above content.
You can test the regex against your log file using "fail2ban-regex. For example:
fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail.log "\[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect"
* Be sure to restart the fail2ban daemon after you have completed the configuration.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
