使用SquirrelMail配置fail2ban Debian Lenny 5.0 / ISPConfig 3
在本文中,我将展示如何使用Squirrel Logger插件来防止使用Fail2ban的强力攻击与您的SquirrelMail Web登录。
要求
确保在Debian Lenny / ISPConfig 3机器上安装了fail2ban和SquirrelMail。
要安装ISPConfig 3 + SquirrelMail,请参考本指南 。
要安装fail2ban,请参考本指南 。
松鼠记录器
下载并安装松鼠记录器:
cd /usr/share/squirrelmail/plugins
wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3-1.2.7.tar.gz
tar zxvf squirrel_logger-2.3-1.2.7.tar.gz
cd squirrel_logger
cp config_example.php config.php
配置松鼠记录器:
vi config.php
如果您的服务器不使用GTM本地时间,请将$ sl_use_GMT = 1
更改为
$ sl_use_GMT = 0
:
...
// Log dates in GMT? If you do not do this, dates will
// be logged in whatever timezone each user is in (or
// has set in their personal preferences)
//
// 1 = yes
// 0 = no
//
$sl_use_GMT = 0;
...
从$ sl_logfile = $ data_dir
更改日志文件的位置。
'squirrelmail_access_log';
到$ sl_logfile ='/var/log/squirrelmail.log';
:
...
// The location of your log file when logging to file.
// Make sure the user your webserver runs as can write
// to this file. Use the $data_dir variable if you
// want to place the log file in the SquirrelMail data
// directory.
//
// Only applicable when $sl_logs includes "file".
//
// $sl_logfile = $data_dir . 'squirrelmail_access_log';
$sl_logfile = '/var/log/squirrelmail.log';
...
将日期格式更改为与$ sl_dateformat ='m / d / YH:i:s'中
的fail2ban正则表达式匹配;
到$ sl_dateformat ='M j H:i:s';
:
...
// Specify what date format you want
//
// See the PHP manual for the date function for help
// at http://www.php.net/manual/function.date.php
//
// examples:
//
// 'm/d/y H:i:s' == 03/10/2001 05:16:08
// 'F j, Y, g:i a' == March 10, 2001, 5:16 am
// 'D M j Y H:i:s T' == Sat Mar 10 2001 15:16:08 CDT
//
// $sl_dateformat = 'm/d/Y H:i:s';
$sl_dateformat = 'M j H:i:s';
...
在/ var / log /
中创建一个新的squirrelmail.log
文件:
touch /var/log/squirrelmail.log
chown www-data:www-data /var/log/squirrelmail.log
chmod 640 /var/log/squirrelmail.log
清洁安装:
cd ..
rm squirrel_logger-2.3-1.2.7.tar.gz
配置SquirrelMail使用松鼠记录器插件:
squirrelmail-configure
...
7. Message of the Day (MOTD)
8. Plugins
9. Database
...
在我的情况下,选择“插件”
8号。
...
18. spamcop
19. squirrel_logger
20. squirrelspell
21. test
...
选择squirrel_logger
,在我的情况下,数字19。
...
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
4. squirrel_logger
...
现在, squirrel_logger
是已安装插件的一部分。
保存数据“S”
并退出“Q”
。
3. Fail2ban配置
配置fail2ban以使用SquirrelMail日志:
cd /etc/fail2ban
打开并将以下行添加到jail.local
文件。 如果您没有此文件,请使用默认的jail.conf
。
vi jail.local
[squirrelmail]
enabled = true
port = http,https
filter = squirrelmail
logpath = /var/log/squirrelmail.log
bantime = 300
maxretry = 4
请确保根据您的要求确定班次(以秒为单位)和maxretry。
在filter.d
目录中,创建一个具有以下内容的squirrelmail.conf
文件:
cd filter.d
vi squirrelmail.conf
# Fail2Ban configuration file
#
# Author: Bill Landry ((email_protected))
#
# $Revision: 510 $
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
重要提示:如果您使用的语言不是英文,请 使用 squirrelmail.log
在第5点显示 的文本 更改 “failregex”
行 。
示例:使用西班牙语,我将其记录在日志文件中。
Aug 20 15:26:06 [LOGIN_ERROR] user@domain.com (server.domain.com) from XXX.XXX.XX.XX: Usuario o contraseña incorrecto.
所以我做这个改变:
failregex = \[LOGIN_ERROR\].*from <HOST>: Usuario o contraseña incorrecto
...并重新启动fail2ban。
/etc/init.d/fail2ban restart
5.测试安装
cd /var/log
tail -f squirrelmail.log
使用“不正确的密码”登录SquirrelMail Web界面“3”。
此过程显示终端窗口登录尝试失败:
Aug 19 13:57:20 [LOGIN_ERROR] user@domain.com (server.domain.com) from XXX.XXX.XX.XX: Unknown user or password incorrect.
Aug 19 13:57:34 [LOGIN_ERROR] user@domain.com (server.domain.com) from XXX.XXX.XX.XX: Unknown user or password incorrect.
Aug 19 13:57:46 [LOGIN_ERROR] user@domain.com (server.domain.com) from XXX.XXX.XX.XX: Unknown user or password incorrect.
关闭squirrelmail.log
文件:
Ctrl-c
验证fail2ban-regex
可以捕获这些错误:
fail2ban-regex /var/log/squirrelmail.log /etc/fail2ban/filter.d/squirrelmail.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf
Use log file : /var/log/squirrelmail.log
Results
=======
Failregex
|- Regular expressions:
| [1] \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect
|
`- Number of matches:
[1] 3 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
200.113.105.235 (Wed Aug 19 13:57:20 2009)
200.113.105.235 (Wed Aug 19 13:57:34 2009)
200.113.105.235 (Wed Aug 19 13:57:46 2009)
Date template hits:
3 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
Success, the total number of match is 3
However, look at the above section 'Running tests' which could contain important
information.
如果你看到这一行,一切都可以: 成功,总数是3
我们来测试我们的Fail2ban
使用“不正确的密码”登录“4”次(或更多,取决于您的maxretry设置)到SquirrelMail Web界面。
当您被阻止时,这意味着您看不到登录页面,请执行:
iptables -L
现在,您可以在iptables输出中看到您屏蔽的IP xxx-xxx-xxx-xxx
。
Chain fail2ban-squirrelmail (1 references)
target prot opt source destination
DROP all -- xxx-xxx-xxx-xxx.your.isp.info anywhere
RETURN all -- anywhere anywhere
祝你好运 ;)