Fail2ban funciona con reglas de Iptables por lo cual deberá estar activado , o TCPWrappers
Instalamos la paquetera necesaria ( previamente configurado sendmail )
# yum install fail2ban squirrelmail
SquirrelMail (imapd) CentOS v5.X por defecto registra los losg en /var/log/maillog pero sólo como la dirección IP 127.0.0.1 (localhost). Dado que estamos tratando de prohibir una dirección de origen específicas, fail2ban no puede utilizar este archivo. Por lo tanto, vamos a instalar y utilizar Squirrel Logger para capturar la verdadera fuente de la dirección del intento de acceso.
Descargamos el Plug-in para log de direcciones externas
# cd /usr/share/squirrelmail/plugins
# wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3-1.2.7.tar.gz
# tar zxvf squirrel_logger-2.3-1.2.7.tar.gz
# cd squirrel_logger-2.3-1.2.7
# cp config_example.php config.php
Para checar si existen nuevas versiones entre al sitio oficial de squirrelmail en la categoría de " Administrator's Relief ".
Si sus equipos usan la hora local que no es la hora de GTM, debera modificar el parametro "$sl_use_GMT = 0 "
#vi /usr/share/squirrelmail/plugins/squirrel_logger-2.3-1.2.7/config.php
Continuamos configurando el plugin para que sea utilizado por squirrelmail con el script de configuración
# /usr/share/squirrelmail/config/conf.pl
============================================================
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color on
S Save data
Q Quit
Command >>
============================================================
selecciona la opcion #8 de plug-ins
============================================================
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
Available Plugins:
4. listcommands
5. fortune
6. filters
7. translate
8. abook_take
9. spamcop
10. squirrel_logger
11. mail_fetch
12. calendar
13. sent_subfolders
14. message_details
15. administrator
16. info
17. bug_report
18. filters
19. administrator
20. templates
21. translate
22. autocomplete
23. mail_fetch
24. msg_flags
R Return to Main Menu
C Turn color on
S Save data
Q Quit
Command >>
============================================================
Selecciona la opcion de ssquirrel_logger ( la cantidad de plug-ins pueden variar dependiendo el administrador)
============================================================
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
4. squirrel_logger
============================================================
presionamos la "S" de salvar datos y la "Q" de quit, y quedara activado el plug-in
agregamos la siguientes lineas al archivo jail.conf
# vi /etc/fail2ban/jail.conf
=============================EJEMPLO IPTABLES===============================
[squirrelmail-iptables]
enabled = true
filter = squirrelmail
action = iptables[name=SquirrelMail, port=http, protocol=tcp]
sendmail-whois[name=SquirrelMail, dest=you@your_domain.com, sender=fail2ban@your_domain.com]
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
maxretry = 4
=============================EJEMPLO TCPWRAPPERS===============================
[squirrelmail-tcpwrapper]
enabled = true
filter = squirrelmail
action = hostsdeny mail-whois[name=squirrelmail, dest=root@localhost]
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
maxretry = 4
============================================================
el parametro "maxrety=4" indica los intentos permitidos
Ahora debera entrar al folde filter.d
# cd /etc/fail2ban/filtel.d
# touch squirrelmail.conf
# vi squirrelmail.conf
y agregamos las siguientes lineas
============================================================
# Fail2Ban configuration file
#
# Author: Bill Landry ((email_protected))
#
# $Revision: 510 $
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
failregex = \[LOGIN_ERROR\].*from
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
============================================================
fail2ban necesita reconocer el formato de fecha que emite el squirrelmail_access_log asi que tendremos que editar el archivo datedetector.py entre los tags de "Apache format " and " Exim format "
# vi /usr/share/fail2ban/server/datedetector.py
============================================================
# SquirrelMail 09/13/2007 06:43:20
template = DateStrptime()
template.setName("Month/Day/Year Hour:Minute:Second")
template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}")
template.setPattern("%m/%d/%Y %H:%M:%S")
self.__templates.append(template)
============================================================
agregamos al fail2ban a chkconf y arrancamos el servicio
# chkconfig fail2ban on
# service fail2ban start
No hay comentarios:
Publicar un comentario