September 7, 2010

How to protect Horde Webmail (Plesk) against brute force attacks

This article outlines the process of configuring Fail2Ban to secure a Horde Webmail, running on a Plesk server, against brute force attacks.

Prerequisite: This article expects that you have already completed the installation of Fail2Ban as outlined here.

Once you have completed the installation of Fail2Ban –

1. Copy the Courier IMAP filter to a new filter for Horde:

# cp /etc/fail2ban/filter.d/courierlogin.conf /etc/fail2ban/filter.d/hordelogin.conf

2. Edit the contents of /etc/fail2ban/filter.d/hordelogin.conf

# nano -w /etc/fail2ban/filter.d/hordelogin.conf

The file should read:

[Definition]

failregex = FAILED LOGIN for *.* \[< HOST >\] .*$

ignoreregex =

3. Edit the Fail2Ban jail file:

# nano -w /etc/fail2ban/jail.conf

4. At the end of the file add:

[horde-iptables]
enabled = true
filter = hordelogin
action = iptables-multiport[name=HORDE, port="80,443,143"]
sendmail-whois[name=HORDE, [email protected], sender=f2b@your-server]
logpath = /var/log/psa-horde/psa-horde.log
maxretry = 3
bantime = 300

Make sure you change the dest= to your email address and sender to your servers name. You can also change the max retry (number of login times before banning) and the ban time (in seconds) to suit your requirements.

5. When you have completed the above changes, re-start Fail2Ban:

# /etc/init.d/fail2ban restart

6. Check to make sure that the new Horde filter has been includes in iptables:

# iptables -L -v | grep HORDE
58 16960 fail2ban-HORDE tcp -- any any anywhere anywhere multiport dports http,https,imap
Chain fail2ban-HORDE (1 references)

7. With this configuration in place, if a user logins to Horde more than 3 times incorrectly their IP address will automatically be blocked from access HTTP, HTTPS and IMAP ports on the server.