On 9/17/07, Bill Landry <bill@xxxxxxxxxxx> wrote:
> Paul Lesniewski wrote the following on 9/17/2007 9:09 PM -0800:
> > On 9/17/07, Edward Francis Klimowicz <edwardk@xxxxxxxxxxxx> wrote:
> >
> >> Bill Landry wrote:
> >>
> >>> If anyone is using the squirrel_logger plugin and also uses fail2ban and
> >>> would like to be able to monitor the failed login attempts listed in the
> >>> squirrelmail log, let me know and I will send you the entries need for
> >>> jail.conf, squirrelmail.conf, and the date format addition that needs to
> >>> be made to datedetector.py.
> >>>
> >> Why don't you just send it to the list anyway, since then it'll be available
> >> in the list archive and hopefully indexed in a search engine long after you or
> >> your e-mail address is gone?
> >>
> >
> > Well-stated. It might also be something that can be included in the
> > next plugin release.
> >
> >
> >> I was just messing around with fail2ban this weekend, and would be interested
> >> in this.
> >>
> I've attached the fail2ban config settings for tracking failed login
> attempts when using the squirrel_logger plugin. Paul, feel free to add
> the info wherever you'd like. I use fail2ban to monitor failed login
> attempts to sshd, vsftpd, and now squirrelmail. I currently have
> fail2ban set to ban the source IP address in iptables for 1 hour after 5
> failed attempts (this is configurable), and it works very well.
Thank you, Bill. Just an FYI, the lockout plugin can ban users or IP
addresses permanently or for a period of time after a given number of
failed login attempts. However, I'd always recommend a server-side
solution like yours rather than doing it as a SquirrelMail plugin.
Cheers,
Paul
> Let me know if you have any questions.
>
> Bill
>
> These are basic instruction for setting up fail2ban to monitor the
> logfile entries created by SquirrelMail's squirrel_logger plugin.
>
>
> Add the following to ~/fail2ban/jail.conf (set to http if not using
> https, or use "iptables-multiport[port="http,https"]" if using both,
> also be sure to set the correct log path and filename for your setup):
> ===============================================
> [squirrelmail-iptables]
>
> enabled = true
> filter = squirrelmail
> action = iptables[name=SquirrelMail, port=https, protocol=tcp]
> sendmail-whois[name=SquirrelMail, dest=someone@xxxxxxxxxxx, sender=root@xxxxxxxxxxx]
> logpath = /var/lib/squirrelmail/prefs/squirrelmail.log
> maxretry = 5
> bantime = 3600
> ===============================================
>
>
> Create a file called squirrelmail.conf and add the following (this
> file needs to be placed in the ~/fail2ban/filter.d subdirectory:
> ===============================================
> # Fail2Ban configuration file
> #
> # Author: Bill Landry (bill@xxxxxxxxxxx)
> #
> # $Revision: 510 $
>
> [Definition]
>
> # Option: failregex
> # Notes.: regex to match the password failures messages in the logfile. The
> # host must be matched by a group named "host". The tag "<HOST>" can
> # be used for standard IP/hostname matching and is only an alias for
> # (?:::f{4,6}:)?(?P<host>\S+)
> # Values: TEXT
>
> failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect
>
> # Option: ignoreregex
> # Notes.: regex to ignore. If this regex matches, the line is ignored.
> # Values: TEXT
>
> ignoreregex =
> ===============================================
>
>
> In order to fail2ban to recognize the date format used in the squirrelmail.log
> file, add the following to the ~/fail2ban/server/datedetector.py file:
> ===============================================
> # SquirreMail 09/13/2007 06:43:20
> template = DateStrptime()
> template.setName("Month/Day/Year Hour:Minute:Second")
> template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}")
> template.setPattern("%m/%d/%Y %H:%M:%S")
> self.__templates.append(template)
> ===============================================
>
> Do a search for "Apache" or "Exim" in the datedetector.py file to find the
> section of the file to add the above content.
>
> You can test the regex against your log file using "fail2ban-regex. For example:
>
> fail2ban-regex /var/lib/squirrelmail/prefs/squirrelmail.log "\[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect"
>
> * Be sure to restart the fail2ban daemon after you have completed the configuration.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
