之前在 阻檔嘗試入侵的 IP — Fail2Ban 一文介紹了安裝及使用 Fail2Ban, 但其實 Fail2Ban 的可擴展性很好, 只要是有入登錯誤的紀錄檔, 及寫下正確的正規表示式便可以使用, 以下是阻檔 SquirrelMail 攻擊的方法。

1. 安裝 Squirrel Logger

## 將 squirrel logger 下載到 squirrel 的 plugin 目錄:
wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3.1-1.2.7.tar.gz
cd squirrel_logger-2.3.1-1.2.7
cp config_example.php config.php
vi config.php

然後在 config.php 裡面, 有一行是:

$sl_use_GMT = 1;
替換為

$sl_use_GMT = 0;

最後便要執行 squirrelmail 的 conf.pl 啟動 squirrelmail logger.

2. 設定 Fail2Ban

編輯 /etc/fail2ban/jail.conf 檔案, 並加入以下內容:

[squirrelmail-iptables]
enabled = true
filter = squirrelmail
action = iptables[name=SquirrelMail, port=http, protocol=tcp]
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
maxretry = 5

在 /etc/fail2ban/filter.d 目錄下面, 建立一個 squirrelmail.conf 檔案, 並加入以下內容:

# Fail2Ban configuration file
#
# Author: Bill Landry ((email_protected))
#
# $Revision: 510 $

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?PS+)
# Values: TEXT

failregex = [LOGIN_ERROR].*from : Unknown user or password incorrect

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT

ignoreregex =

然後開啟 /usr/share/fail2ban/server/datedetector.py 檔案, 在 Apache 及 Exim 中間加入以下內容:

# SquirrelMail 09/13/2007 06:43:20
template = DateStrptime()
template.setName(“Month/Day/Year Hour:Minute:Second”)
template.setRegex(“d{2}/d{2}/d{4} d{2}:d{2}:d{2}”)
template.setPattern(“%m/%d/%Y %H:%M:%S”)
self.__templates.append(template)

最後重新啟動 Fail2Ban 便可以了, 要進行測試的話, 只要試試登入錯誤幾次便知道是否正常運作。