I'm running ISPConfig3 on Centos 5.3 as per the installation instructions at this site. When configuring fail2ban for trapping SquirrelMail failed logins, I notice the following in /var/log/maillog: Jul 31 15:23:55 server_name imapd: LOGIN FAILED, user=45354, ip=[::ffff:127.0.0.1] Jul 31 15:24:04 server_name imapd: LOGIN FAILED, user=34566, ip=[::ffff:127.0.0.1] Jul 31 15:24:14 server_name imapd: LOGIN FAILED, user=56757, ip=[::ffff:127.0.0.1] Jul 31 15:24:26 server_name imapd: LOGIN FAILED, user=4566, ip=[::ffff:127.0.0.1] Each failed login generates an entry but with IP address 127.0.0.1 (localhost) and hence fail2ban cannot really action the iptables ban because there's no public IP address in the maillog file. Does anyone have any ideas how a real IP address might be captured to enable fail2ban to do it's stuff? fail2ban works well on the system for ssh and ftp but they use a different logfile.
This is ISPConfig's monitoring module, trying to find out if imapd is still running. Nothing to worry about.
Thanks for your reply. I can confirm that imapd is still running. What I really wanted was to be able to ban (using fail2ban) repeated unsuccessful login attempts through SquirrelMail's Web interface. To be able to do this would involve knowing the real IP address. However, /var/log/maillog only contains IP address 127.0.0.1.
fail2ban and SquirrelMail step by step instructions I've now sucessfully set-up fail2ban with SquirrelMail for ISPConfig3 on CentOS v5.3 using the Squirrel Logger plugin to limit the number of login attempts. If there's any interest in how to do this, I'll write it up and post it. Whilst the process is covered in a few Web places, there are some steps that could cause frustration Let me know if there's any interest?
Location of SquirrelMail/Fail2ban tutorial Here's the location of the published SquirrelMail/Fail2ban tutorial: http://www.howtoforge.com/configuring-fail2ban-with-squirrelmail-on-centos-5.3-ispconfig-3
