Fail2ban - Postfixadmin Authentication Jail

Quick fix to "Postfixadmin" and a jail for "Fail2ban" to allow fail2ban use.
NOTE:
You should really keep "Postfixadmin" web admin behind a firewall/localnet only. You've been warned..

Edit postfixadmin/login.php (starting @ line 63 or so under Postfix Admin v2.3.8) :


Substitute your location (if an Ubuntu pkg its normally under /usr/share):
sudo nano /var/www/html/postfixadmin/login.php

Add the following lines ONLY and save:
        if ($result['rows'] != 1)
        {
            $error = 1;
            $tMessage = '' . $PALANG['pLogin_failed'] . '';
//Add this line
            error_log('BAD LOGIN ATTEMPT, username "' . $fUsername . '", password "' . $fPassword . '"');
        }
    }
    else
    {
        $error = 1;
        $tMessage = '' . $PALANG['pLogin_failed'] . '';
//Add same line
        error_log('BAD LOGIN ATTEMPT, username "' . $fUsername . '", password "' . $fPassword . '"');
    }

So, two lines added to admin login. Now we need to add that same line once to the users area.
Edit postfixadmin/users/login.php (shows start at line 63 or so):
   else {
         $error = 1;
         $tMessage = '' . $PALANG['pLogin_failed'] . '';
//Add same line
         error_log('BAD LOGIN ATTEMPT, username "' . $fUsername . '", password "' . $fPassword . '"');
         $tUsername = $fUsername;
   }

   include ("../templates/header.php");

A bad auth simply gets logged to /var/log/apache2/error.log now using php error_log method..

Now FAIL2BAN :


Create a new filter for fail2ban by creating /etc/fail2ban/filter.d/postfixadmin.conf
Add these lines and save:
[INCLUDES]

before = common.conf
after  = postfixadmin.local

[Definition]

failregex = \[client <HOST>(:\d{1,5})?\].*BAD LOGIN ATTEMPT
ignoreregex =

# Author: Brady Shea
# after customizing
# postfixadmin/login.php and postfixadmin/users/login.php
# so they log bad authentications to apache2 error.log

Create a new jail for fail2ban by editing/creating /etc/fail2ban/jail.local
Add the following lines to bottom:
[postfixadmin]

enabled  = true
port     = http,https
filter   = postfixadmin
logpath  = /var/log/apache2/error.log
findtime = 60
maxretry = 3
bantime  = 120

Restart fail2ban:
sudo service fail2ban restart

Your /var/log/apache2/error.log should now start showing things like this (as fail2ban monitors it):
[Fri May 27 12:24:23.858680 2016] [:error] [pid 12927] [client 10.72.244.233:11460] BAD LOGIN ATTEMPT, username "sdsd@dfdf.com", password "ss", referer: https://mail.somewhere.tld/postfixadmin/login.php

Hope this helps someone. Works fine - tested over some weeks now.