Fail2ban - Postfixadmin Authentication Jail

Submitted by bshea on Fri, 05/27/2016 - 13:12
Quick fix to "Postfixadmin" and a jail for "Fail2ban" to allow fail2ban use.
NOTE:
You should really keep "Postfixadmin" web admin behind a firewall/localnet only. You've been warned..

Edit postfixadmin/login.php (starting @ line 63 or so under Postfix Admin v2.3.8) :


Substitute your location (if an Ubuntu pkg its normally under /usr/share): 
sudo nano /var/www/html/postfixadmin/login.php

Add the following lines ONLY and save: 
        if ($result['rows'] != 1)
        {
            $error = 1;
            $tMessage = '' . $PALANG['pLogin_failed'] . '';
//Add this line
            error_log('BAD LOGIN ATTEMPT, username "' . $fUsername . '", password "' . $fPassword . '"');
        }
    }
    else
    {
        $error = 1;
        $tMessage = '' . $PALANG['pLogin_failed'] . '';
//Add same line
        error_log('BAD LOGIN ATTEMPT, username "' . $fUsername . '", password "' . $fPassword . '"');
    }

So, two lines added to admin login. Now we need to add that same line once to the users area.
Edit postfixadmin/users/login.php (shows start at line 63 or so): 
   else {
         $error = 1;
         $tMessage = '' . $PALANG['pLogin_failed'] . '';
//Add same line
         error_log('BAD LOGIN ATTEMPT, username "' . $fUsername . '", password "' . $fPassword . '"');
         $tUsername = $fUsername;
   }

   include ("../templates/header.php");

A bad auth simply gets logged to /var/log/apache2/error.log now using php error_log method..

Now FAIL2BAN :


Create a new filter for fail2ban by creating /etc/fail2ban/filter.d/postfixadmin.conf
Add these lines and save: 
[INCLUDES]

before = common.conf
after  = postfixadmin.local

[Definition]

failregex = \[client <HOST>(:\d{1,5})?\].*BAD LOGIN ATTEMPT
ignoreregex =

# Author: Brady Shea
# after customizing
# postfixadmin/login.php and postfixadmin/users/login.php
# so they log bad authentications to apache2 error.log

Create a new jail for fail2ban by editing/creating /etc/fail2ban/jail.local
Add the following lines to bottom: 
[postfixadmin]

enabled  = true
port     = http,https
filter   = postfixadmin
logpath  = /var/log/apache2/error.log
findtime = 60
maxretry = 3
bantime  = 120

Restart fail2ban: 
sudo service fail2ban restart

Your /var/log/apache2/error.log should now start showing things like this (as fail2ban monitors it): 
[Fri May 27 12:24:23.858680 2016] [:error] [pid 12927] [client 10.72.244.233:11460] BAD LOGIN ATTEMPT, username "sdsd@dfdf.com", password "ss", referer: https://mail.somewhere.tld/postfixadmin/login.php

Hope this helps someone. Works fine - tested over some weeks now.