Fail2ban - Postfixadmin Authentication Jail
Quick fix to "Postfixadmin" and a jail for "Fail2ban" to allow fail2ban use.
NOTE:
You should really keep "Postfixadmin" web admin behind a firewall/localnet only. You've been warned..
You should really keep "Postfixadmin" web admin behind a firewall/localnet only. You've been warned..
Edit postfixadmin/login.php (starting @ line 63 or so under Postfix Admin v2.3.8) :
Substitute your location (if an Ubuntu pkg its normally under /usr/share):
sudo nano /var/www/html/postfixadmin/login.php
Add the following lines ONLY and save:
if ($result['rows'] != 1)
{
$error = 1;
$tMessage = '' . $PALANG['pLogin_failed'] . '';
//Add this line
error_log('BAD LOGIN ATTEMPT, username "' . $fUsername . '", password "' . $fPassword . '"');
}
}
else
{
$error = 1;
$tMessage = '' . $PALANG['pLogin_failed'] . '';
//Add same line
error_log('BAD LOGIN ATTEMPT, username "' . $fUsername . '", password "' . $fPassword . '"');
}
So, two lines added to admin login. Now we need to add that same line once to the users area.
Edit postfixadmin/users/login.php (shows start at line 63 or so):
else {
$error = 1;
$tMessage = '' . $PALANG['pLogin_failed'] . '';
//Add same line
error_log('BAD LOGIN ATTEMPT, username "' . $fUsername . '", password "' . $fPassword . '"');
$tUsername = $fUsername;
}
include ("../templates/header.php");
A bad auth simply gets logged to /var/log/apache2/error.log now using php error_log method..
Now FAIL2BAN :
Create a new filter for fail2ban by creating /etc/fail2ban/filter.d/postfixadmin.conf
Add these lines and save:
[INCLUDES]
before = common.conf
after = postfixadmin.local
[Definition]
failregex = \[client <HOST>(:\d{1,5})?\].*BAD LOGIN ATTEMPT
ignoreregex =
# Author: Brady Shea
# after customizing
# postfixadmin/login.php and postfixadmin/users/login.php
# so they log bad authentications to apache2 error.log
Create a new jail for fail2ban by editing/creating /etc/fail2ban/jail.local
Add the following lines to bottom:
[postfixadmin]
enabled = true
port = http,https
filter = postfixadmin
logpath = /var/log/apache2/error.log
findtime = 60
maxretry = 3
bantime = 120
Restart fail2ban:
sudo service fail2ban restart
Your /var/log/apache2/error.log should now start showing things like this (as fail2ban monitors it):
[Fri May 27 12:24:23.858680 2016] [:error] [pid 12927] [client 10.72.244.233:11460] BAD LOGIN ATTEMPT, username "sdsd@dfdf.com", password "ss", referer: https://mail.somewhere.tld/postfixadmin/login.php
Hope this helps someone. Works fine - tested over some weeks now.