Prevent Squirrelmail Brute Force Attacks

You installed Courier or Dovecot and you put SquirrelMail on your box for webmail.

Then you were good enough to set up fail2ban or (my favorite) CSF/LFD. But you tested a brute force attack on Squirrelmail’s login page, and you noticed that LFD doesn’t detect brute force login attempts. Why not? A quick look at /var/log/mail.log explains it:

Apr  2 21:12:32 — imapd: LOGIN FAILED, user=nobody, ip=[::ffff:127.0.0.1]

Note the “missing” IP address of 127.0.0.1 (localhost). LFD doesn’t know where the login requests are coming from because once you hit the squirrelmail login page you’re on localhost.  So there are two options here (since leaving this gaping security hole is not an option):

1. Require basic-auth on the webmail login page (ugh, more user/passes to track and another login step for users, or you have to go the cPanel route which uses basic auth only and retains their login information for access to SquirrelMail)

2. Install squirrel_logger and configure it to write the *actual* IP to /var/log/mail.log.

Making option 2 work is simple and quick, fortunately.

Making it work (with LFD)

As root:

cd /usr/share/squirrelmail/plugins

wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3-1.2.7.tar.gz

tar zxvf squirrel_logger-2.3-1.2.7.tar.gz

cd squirrel_logger

cp config_example.php config.php

Then go into config.php and find the block:

$sl_logs = array(
'SYSTEM:LOG_INFO:LOG_MAIL' => array(
//         'LOGIN'            => "Successful webmail login: by %2 (%3) at %4 on %6: %7",
//         'LOGOUT'           => "Webmail logout: by %2 (%3) at %4 on %6: %7",
//         'TIMEOUT'          => "Webmail session timed out: by %2 (%3) at %4 on %6: %7",
//         'OUTGOING_MAIL'    => "Message sent via webmail: by %2 (%3) at %4 on %6: %7",
//         'MASS_MAILING'     => "Possible outgoing spam: by %2 (%3) at %4 on %6: %7",
//         'LOGIN_ERROR'      => "Failed webmail login: by %2 (%3) at %4 on %6: %7",
//         'ERROR'            => "Webmail error: by %2 (%3) at %4 on %6: %7",
//         'CAPTCHA'          => "Webmail CAPTCHA litmus: by %2 (%3) at %4 on %6: %7",
//         'RESTRICT_SENDERS' => "Failed recipient limit: by %2 (%3) at %4 on %6: %7",
),

Change it to this:

$sl_logs = array(
'SYSTEM:LOG_INFO:LOG_MAIL:imapd' => array(
//         'LOGIN'            => "Successful webmail login: by %2 (%3) at %4 on %6: %7",
//         'LOGOUT'           => "Webmail logout: by %2 (%3) at %4 on %6: %7",
//         'TIMEOUT'          => "Webmail session timed out: by %2 (%3) at %4 on %6: %7",
//         'OUTGOING_MAIL'    => "Message sent via webmail: by %2 (%3) at %4 on %6: %7",
//         'MASS_MAILING'     => "Possible outgoing spam: by %2 (%3) at %4 on %6: %7",
'LOGIN_ERROR'      => "LOGIN FAILED, user=%2, ip=[%4]",
//         'ERROR'            => "Webmail error: by %2 (%3) at %4 on %6: %7",
//         'CAPTCHA'          => "Webmail CAPTCHA litmus: by %2 (%3) at %4 on %6: %7",
//         'RESTRICT_SENDERS' => "Failed recipient limit: by %2 (%3) at %4 on %6: %7",
),

You’ve added the IDENT as “imapd” so that it shows something meaningful (and LFD thinks it is imapd reporting this, which is fine by me). The change to the login_error line is simply to make the line more closely resemble the login failure line that imapd itself reports to the log, since I’d rather edit this than LFD’s custom regex rules. Just a personal choice.

Then run the squirrelmail config script:

/usr/share/squirrelmail/config/conf.pl

and select PLUGINS, select squirrel_logger to activate, save and quit.

Then test your webmail login a few times from a non-whitelisted IP address and watch LFD lock you out per your CSF/LFD settings.