Using fail2ban for SquirrelMail attacks

Using web based mail for your clients is good, but it is also a vector for crackers to attempt to invade your system. They can attempt logins (brute force or otherwise) through the web interface, and your mail server simply thinks the attack is coming from localhost (

Squirrelmail has a nice plugin called SquirrelMail Logger which allows you to log events. It is a very, very cool plugin and lets you customize things as you like. However, the default will send failed login attempts to mail.log, so we'll just go with that.

For Debian Wheezy, you can use apt-get (or aptitude) to install the plugin:

apt-get install squirrelmail_logger

Now, edit its configuration file, /usr/share/squirrelmail/plugins/squirrel_logger/config.php, just to make sure the error logging is done.

It is pretty well self-documenting. Here are the things I'd make sure were uncommented.

$sl_log_events (line 41)

$sl_logs (line 126)

Make sure mail.log is a destination (I think that is a default)

Enable the plugin in Squirrelmail. Go to /etc/squirrelmail/ and execute the configuration program,

cd /etc/squirrelmail

Choose option 8, Plugins

SquirrelMail Configuration : Read: config.php (1.4.0)
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit
Command >> 8

find squirrel_logger in the list of Available Plugins and enter its number to move it to Installed Plugins section.

SquirrelMail Configuration : Read: config.php (1.4.0)
  Installed Plugins
   1. view_as_html
   2. squirrel_logger

  Available Plugins:
    3. administrator
    4. bug_report
    5. calendar<

R   Return to Main Menu
C   Turn color on
S   Save data
Q   Quit
Command >> 

Be sure you save your changes with the 'S' command (it is not done by default), then quit with a 'Q'.

At this point, anytime someone fails a login attempt a line similar to the following will show up in mail.log.

Jul 25 22:55:10 myserver squirrelmail: Failed webmail login: by myUser ( at on 07/26/2014 03:55:10: Unknown user or password incorrect.

So, we need a regular expression to match that, then create a conf file. Create the file /etc/fail2ban/filter.d/apache-squirrelmail.conf with the following contents:

# Fail2Ban configuration file for SquirrelMail
# Author: R. W. Rodolico

before = common.conf

[Definition] failregex = Failed webmail login: by.*at <HOST>.* ignoreregex =

Now, edit the jail file, /etc/fail2ban/jail.local and add the following

enabled = true
banaction = iptables-allports
bantime = 300
port = all
filter = apache-squirrelmail
logpath = /var/log/mail.log
maxretry = 6

This will block all access (web, mail, ssh) from the originating IP for 5 minutes (bantime=300) whenever 6 failed attempts are recorded in the default number of minutes (I think it is 5).

Note: I ended up putting in maxretry of 6 because Squirrelmail appearantly does multiple login attempts before it fails. So, using a lesser number can file  you out with only one attempt.

Last update:
2014-07-28 07:44
Average rating:0 (0 Votes)

You can comment this FAQ

Chuck Norris has counted to infinity. Twice.