How to protect Horde Webmail (Plesk) against brute force attacks

This article outlines the process of configuring Fail2Ban to secure a Horde Webmail, running on a Plesk server, against brute force attacks.

Prerequisite: This article expects that you have already completed the installation of Fail2Ban as outlined here.

Once you have completed the installation of Fail2Ban –

1. Copy the Courier IMAP filter to a new filter for Horde:

# cp /etc/fail2ban/filter.d/courierlogin.conf /etc/fail2ban/filter.d/hordelogin.conf

2. Edit the contents of /etc/fail2ban/filter.d/hordelogin.conf

# nano -w /etc/fail2ban/filter.d/hordelogin.conf

The file should read:

[Definition]

failregex = FAILED LOGIN for *.* \[< HOST >\] .*$

ignoreregex =

3. Edit the Fail2Ban jail file:

# nano -w /etc/fail2ban/jail.conf

4. At the end of the file add: Continue reading “How to protect Horde Webmail (Plesk) against brute force attacks”

How to force HTTPS in Horde (Plesk)

If your using Horde as your preferred webmail client on a Plesk virtual hosting server, its advisable to enable (and force) the use of HTTPS in order to secure webmail users against their login information and email communication being compromised.

To force HTTPS within Horde:

# nano -w /etc/psa-webmail/horde/horde/conf.php

Then change:

$conf['use_ssl'] = 2;

to:

$conf['use_ssl'] = 1;

Next edit the Horde virtual host file:

nano -w /etc/httpd/conf.d/zzz_horde_vhost.conf

And just below the “ServerAdmin [email protected]” line add:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

Make sure to tab the lines in to match the delimiter of the previous servername/alias/admin lines. Continue reading “How to force HTTPS in Horde (Plesk)”

How to add a virtual keyboard to Horde Webmail in Plesk 9.x

If you operate a web hosting provider and provide Horde based webmail access, I recommend providing a virtual keyboard in order for your users to enter their passwords securely.

A virtual keyboard is a software application which allows a user to enter characters via an onscreen keyboard. Unlike typing a password using a hardware keyboard, a virtual keyboard cannot be logged using a keystroke logger.

The follow instructions outline the process of adding a virtual keyboard to the webmail login interface. A example of this can be found at: http://webmail.md3v.com.

Note: These instructions have been tested on Plesk 9.5.2 with Horde 3.3.6.

1. Download my Virtual Keyboard build from: http://www.md3v.com/dl/Virtual_Keyboard.zip.

2.  Upload the “keyboard.css”, “keyboard.js” and “keyboard.png” files to your Plesk server.

3. Copy “keyboard.css”, “keyboard.js” and “keyboard.png” to:

/usr/share/psa-horde/imp

4. Make a backup of the original Horde login template: Continue reading “How to add a virtual keyboard to Horde Webmail in Plesk 9.x”

Horde Session Problems

Many Internet providers send their users’ traffic through proxy servers, this can cause problems with Horde’s session handling in Plesk. The problem arises when the user’s IP changes during the middle of the session.

You may see an error message in Horde that looks like this:

“Your Internet Address has changed since the beginning of your Mail session. To protect your security, you must login again.”

You’ll normally have this variable in /etc/psa-webmail/horde/horde/conf.php (Plesk 9.x +)

# $conf['auth']['checkip'] = true;

You can disable this ip check functionality which breaks sessions for AOL users by setting it to false:

# $conf['auth']['checkip'] = false;

Restart Apache (/etc/init.d/httpd restart) after making this change.

Horde Webmail Security

For those using Plesk 9.x, Horde naively allows webmail logins via HTTP (in-secure) or HTTPS (secure). HTTP log-ins are not recommended as username and password information is sent in clear text across the Internet.

In the following example we’ll configure access to http://webmail.yourdomain.com to automatically re-direct to http://webmail.yourdomain.com.

NOTE: These instructions are specific to Plesk’s implementation of Horde but should work on any Horde 3.1.7 installation. Simply locate Horde’s “conf.php” file and adjust the parameters shown below.

[root@youserver /]# nano -w /etc/psa/webmail/horde/horde/conf.php Continue reading “Horde Webmail Security”