On Wed, December 24, 2014 12:36, Paul Lesniewski wrote:
>> Since yesterday we are getting a lot of requests to the file:
>> src/redirect.php
>>
>> The attack is targeting the HS, so we are getting traffic from Tor,
>> which is impossible to discriminate and filter (all requests looks like
>> they are coming from 127.0.0.1).
>>
>> That said .. do you have any suggestions ?
>> What is the file redirect.php responsible for ?
>
> This is most likely a brute force password guessing attack. If you
> simply inspect the login page code, you'd see that the form submit
> goes to that URI. Most providers use either webmail plugins (of
> course vanilla RoundCube is just as susceptible) or MTA features to
> mitigate such attacks. squirrelmail.org offers several such plugins.
>
Or, you can install fail2ban and add the following to the indicated files:
# /etc/fail2ban/jail.local
# added HLL 2014-09-09
[squirrelmail]
enabled = true
port = http,https
filter = squirrelmail
action = iptables-multiport[name=SquirrelMail, port="http,https", protocol=tcp]
sendmail-whois[name=SquirrelMail, dest=notify-email@xxxxxxxxxx,
sendername=Fail2Ban, sender=support@xxxxxxxxxxxxx]
logpath = /var/log/squirrelmail.log
bantime = 300
maxretry = 5
#/etc/fail2ban/filter.d/squirrelmail.conf
# SquirrelMail Fail2Ban configuration file
[INCLUDES]
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
The action specified in the jail.local configuration (iptables-multiport)
should already be defined in /etc/fail2ban/action.d.
Note this example is from a CentOS-6 (RHEL6) setup using Fail2Ban from the
epel repository. Different distributions may place these files in differnet
locations.
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
