Fail2ban Horde Webmail

This will show you how to setup horde to log failed logins and use fail2ban to detect these. A useful tool to check if any fail2ban filters are working as expected is the fail2ban-regex tool, more details here Fail2ban-regex help.

Login to horde webmail using an admin account. Navigate to the configuration page -> horde -> logging tab. You should see something similar to this.

Horde Logging Configuration Page
Horde Logging Configuration Page

Create the directory and file specified in the configuration page.

Check the permissions are correct.

Run the following command to ‘follow the file’ and login to horde. You should see some messages about a successful or failed login.

Create the following file, this is the filters file which is what fail2ban uses to match suspicious activity in the log files.

Add the following to it:

Create or modify the jail.local file under /etc/fail2ban/ Add the following ‘jail’, these use the filters to match the suspicious activity in the specified log files, they then perform the actions specified or the default if none are specified in the jail.

Test

tail the horde log file as shown earlier, try logging in to the horde webmail with incorrect credentials, repeat this several times and you should see this being recorded in the log messages. Depending on the number of allowed attempts specified in the jail.conf it should ban your IP after exceeding the allowed amount.

Please share 🙂