配置fail2ban使用SquirrelMail在Debian Lenny 5.0 / ISPConfig 3

使用SquirrelMail配置fail2ban Debian Lenny 5.0 / ISPConfig 3

在本文中,我将展示如何使用Squirrel Logger插件来防止使用Fail2ban的强力攻击与您的SquirrelMail Web登录。

要求

确保在Debian Lenny / ISPConfig 3机器上安装了fail2ban和SquirrelMail。
要安装ISPConfig 3 + SquirrelMail,请参考本指南
要安装fail2ban,请参考本指南

松鼠记录器

下载并安装松鼠记录器:

cd /usr/share/squirrelmail/plugins
wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3-1.2.7.tar.gz
tar zxvf squirrel_logger-2.3-1.2.7.tar.gz
cd squirrel_logger
cp config_example.php config.php

配置松鼠记录器:

vi config.php

如果您的服务器不使用GTM本地时间,请将$ sl_use_GMT = 1更改 $ sl_use_GMT = 0

...
// Log dates in GMT?  If you do not do this, dates will
// be logged in whatever timezone each user is in (or
// has set in their personal preferences)
//
//    1 = yes
//    0 = no
//
$sl_use_GMT = 0;
...

$ sl_logfile = $ data_dir更改日志文件的位置 'squirrelmail_access_log';$ sl_logfile ='/var/log/squirrelmail.log';

...
// The location of your log file when logging to file.
// Make sure the user your webserver runs as can write
// to this file.  Use the $data_dir variable if you
// want to place the log file in the SquirrelMail data
// directory.
//
// Only applicable when $sl_logs includes "file".
//
// $sl_logfile = $data_dir . 'squirrelmail_access_log';
$sl_logfile = '/var/log/squirrelmail.log';
...

将日期格式更改为与$ sl_dateformat ='m / d / YH:i:s'中的fail2ban正则表达式匹配;$ sl_dateformat ='M j H:i:s';

...
// Specify what date format you want
//
// See the PHP manual for the date function for help
// at http://www.php.net/manual/function.date.php
//
// examples:
//
//    'm/d/y H:i:s'     ==  03/10/2001 05:16:08
//    'F j, Y, g:i a'   ==  March 10, 2001, 5:16 am
//    'D M j Y H:i:s T' ==  Sat Mar 10 2001 15:16:08 CDT
//
// $sl_dateformat = 'm/d/Y H:i:s';
$sl_dateformat = 'M j H:i:s';
...

/ var / log /中创建一个新的squirrelmail.log文件:

touch /var/log/squirrelmail.log
chown www-data:www-data /var/log/squirrelmail.log
chmod 640 /var/log/squirrelmail.log

清洁安装:

cd ..
rm squirrel_logger-2.3-1.2.7.tar.gz

配置SquirrelMail使用松鼠记录器插件:

squirrelmail-configure
...
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
...

在我的情况下,选择“插件” 8号。

...
18. spamcop
19. squirrel_logger
20. squirrelspell
21. test
...

选择squirrel_logger ,在我的情况下,数字19。

...
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
4. squirrel_logger
...

现在, squirrel_logger是已安装插件的一部分。
保存数据“S”并退出“Q”

3. Fail2ban配置

配置fail2ban以使用SquirrelMail日志:

cd /etc/fail2ban

打开并将以下行添加到jail.local文件。 如果您没有此文件,请使用默认的jail.conf

vi jail.local
[squirrelmail]

enabled = true
port = http,https
filter = squirrelmail
logpath = /var/log/squirrelmail.log
bantime = 300
maxretry = 4

请确保根据您的要求确定班次(以秒为单位)和maxretry。

filter.d目录中,创建一个具有以下内容的squirrelmail.conf文件:

cd filter.d
vi squirrelmail.conf
# Fail2Ban configuration file
#
# Author: Bill Landry ((email_protected))
#
# $Revision: 510 $

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#         host must be matched by a group named "host". The tag "" can
#         be used for standard IP/hostname matching and is only an alias for
#         (?:::f{4,6}:)?(?P\S+)
# Values: TEXT

failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT

ignoreregex =

重要提示:如果您使用的语言不是英文,请 使用 squirrelmail.log 在第5点显示 的文本 更改 “failregex”

示例:使用西班牙语,我将其记录在日志文件中。

Aug 20 15:26:06 [LOGIN_ERROR] user@domain.com (server.domain.com) from XXX.XXX.XX.XX: Usuario o contraseña incorrecto. 

所以我做这个改变:

failregex = \[LOGIN_ERROR\].*from <HOST>: Usuario o contraseña incorrecto

...并重新启动fail2ban。

/etc/init.d/fail2ban restart

5.测试安装

cd /var/log
tail -f squirrelmail.log

使用“不正确的密码”登录SquirrelMail Web界面“3”。
此过程显示终端窗口登录尝试失败:

Aug 19 13:57:20 [LOGIN_ERROR] user@domain.com (server.domain.com) from XXX.XXX.XX.XX: Unknown user or password incorrect.
Aug 19 13:57:34 [LOGIN_ERROR] user@domain.com (server.domain.com) from XXX.XXX.XX.XX: Unknown user or password incorrect.
Aug 19 13:57:46 [LOGIN_ERROR] user@domain.com (server.domain.com) from XXX.XXX.XX.XX: Unknown user or password incorrect.

关闭squirrelmail.log文件:

Ctrl-c

验证fail2ban-regex可以捕获这些错误:

fail2ban-regex /var/log/squirrelmail.log /etc/fail2ban/filter.d/squirrelmail.conf
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf
Use log file   : /var/log/squirrelmail.log


Results
=======

Failregex
|- Regular expressions:
|  [1] \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect
|
`- Number of matches:
   [1] 3 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    200.113.105.235 (Wed Aug 19 13:57:20 2009)
    200.113.105.235 (Wed Aug 19 13:57:34 2009)
    200.113.105.235 (Wed Aug 19 13:57:46 2009)

Date template hits:
3 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601

Success, the total number of match is 3

However, look at the above section 'Running tests' which could contain important
information.

如果你看到这一行,一切都可以: 成功,总数是3

我们来测试我们的Fail2ban

使用“不正确的密码”登录“4”次(或更多,取决于您的maxretry设置)到SquirrelMail Web界面。

当您被阻止时,这意味着您看不到登录页面,请执行:

iptables -L

现在,您可以在iptables输出中看到您屏蔽的IP xxx-xxx-xxx-xxx

Chain fail2ban-squirrelmail (1 references)
target     prot opt source               destination
DROP       all  --  xxx-xxx-xxx-xxx.your.isp.info  anywhere
RETURN     all  --  anywhere             anywhere

祝你好运 ;)

赞(52) 打赏
未经允许不得转载:优客志 » 系统运维
分享到:

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏