Prevent Squirrelmail Brute Force Attacks

You installed Courier or Dovecot and you put SquirrelMail on your box for webmail.

SquirrelMail Login Page
SquirrelMail's Login Page

Then you were good enough to set up fail2ban or (my favorite) CSF/LFD. But you tested a brute force attack on Squirrelmail’s login page, and you noticed that LFD doesn’t detect brute force login attempts. Why not? A quick look at /var/log/mail.log explains it:

Apr  2 21:12:32 — imapd: LOGIN FAILED, user=nobody, ip=[::ffff:127.0.0.1]

Note the “missing” IP address of 127.0.0.1 (localhost). LFD doesn’t know where the login requests are coming from because once you hit the squirrelmail login page you’re on localhost.  So there are two options here (since leaving this gaping security hole is not an option):

1. Require basic-auth on the webmail login page (ugh, more user/passes to track and another login step for users, or you have to go the cPanel route which uses basic auth only and retains their login information for access to SquirrelMail)

2. Install squirrel_logger and configure it to write the *actual* IP to /var/log/mail.log.

Making option 2 work is simple and quick, fortunately.

Making it work (with LFD)

As root:

cd /usr/share/squirrelmail/plugins

wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3-1.2.7.tar.gz

tar zxvf squirrel_logger-2.3-1.2.7.tar.gz

cd squirrel_logger

cp config_example.php config.php

Then go into config.php and find the block:

$sl_logs = array(
'SYSTEM:LOG_INFO:LOG_MAIL' => array(
//         'LOGIN'            => "Successful webmail login: by %2 (%3) at %4 on %6: %7",
//         'LOGOUT'           => "Webmail logout: by %2 (%3) at %4 on %6: %7",
//         'TIMEOUT'          => "Webmail session timed out: by %2 (%3) at %4 on %6: %7",
//         'OUTGOING_MAIL'    => "Message sent via webmail: by %2 (%3) at %4 on %6: %7",
//         'MASS_MAILING'     => "Possible outgoing spam: by %2 (%3) at %4 on %6: %7",
//         'LOGIN_ERROR'      => "Failed webmail login: by %2 (%3) at %4 on %6: %7",
//         'ERROR'            => "Webmail error: by %2 (%3) at %4 on %6: %7",
//         'CAPTCHA'          => "Webmail CAPTCHA litmus: by %2 (%3) at %4 on %6: %7",
//         'RESTRICT_SENDERS' => "Failed recipient limit: by %2 (%3) at %4 on %6: %7",
),

Change it to this:

$sl_logs = array(
'SYSTEM:LOG_INFO:LOG_MAIL:imapd' => array(
//         'LOGIN'            => "Successful webmail login: by %2 (%3) at %4 on %6: %7",
//         'LOGOUT'           => "Webmail logout: by %2 (%3) at %4 on %6: %7",
//         'TIMEOUT'          => "Webmail session timed out: by %2 (%3) at %4 on %6: %7",
//         'OUTGOING_MAIL'    => "Message sent via webmail: by %2 (%3) at %4 on %6: %7",
//         'MASS_MAILING'     => "Possible outgoing spam: by %2 (%3) at %4 on %6: %7",
'LOGIN_ERROR'      => "LOGIN FAILED, user=%2, ip=[%4]",
//         'ERROR'            => "Webmail error: by %2 (%3) at %4 on %6: %7",
//         'CAPTCHA'          => "Webmail CAPTCHA litmus: by %2 (%3) at %4 on %6: %7",
//         'RESTRICT_SENDERS' => "Failed recipient limit: by %2 (%3) at %4 on %6: %7",
),

You’ve added the IDENT as “imapd” so that it shows something meaningful (and LFD thinks it is imapd reporting this, which is fine by me). The change to the login_error line is simply to make the line more closely resemble the login failure line that imapd itself reports to the log, since I’d rather edit this than LFD’s custom regex rules. Just a personal choice.

Then run the squirrelmail config script:

/usr/share/squirrelmail/config/conf.pl

and select PLUGINS, select squirrel_logger to activate, save and quit.

Then test your webmail login a few times from a non-whitelisted IP address and watch LFD lock you out per your CSF/LFD settings.

8 thoughts on “Prevent Squirrelmail Brute Force Attacks”

  1. Does not work for me CSF v5.02

    It just halts on the redirect when logging in with white page. I’m thinking this bracket [ ] might be the cause?

  2. ‘LOGIN_ERROR’ => “LOGIN FAILED, user=%2, ip=[%4]“,

    Should be:
    ‘LOGIN_ERROR’ => “LOGIN FAILED, user=%2, ip=[%4]”,

    I have CSF set to watch an additional logfile.
    squirrelmail_access_log

    But still when trying I get this error.
    Fatal error: Call to undefined function sq_send_mail() in /var/www/html/squirrelmail-1.4.20/plugins/squirrel_logger/alert_functions.php on line 88

  3. Apr 22 21:17:56 dovecot[2987]: imap-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
    Apr 22 21:17:56 imapd: LOGIN FAILED, user=vvvvvvvvv, ip=[67.159.xx.xx]

    This did show up in the mail log 🙂

  4. “″
    These symbols do not show up correctly when I was trying to show example of your code for a fix.

  5. You’re right, this is a WordPress problem as my code was pasted with standard quotes. I’ll see if I can fix the display. As for your call to undefined function error, that’s definitely something wrong with your logger installation…beyond the scope of this document. 🙂

  6. Thanks for the tut. I was successful in installing it and will let you know if any complications arise. I had the plugin installed previously and was just uploading the config file. I had to go and run the config.pl and disable and then re-enable it after uploading the changes.
    Respectfully me. 🙂

Comments are closed.