bfd script for Kerio Connect


   May 9th, 2011

Overview

It came to my attention recently that a mailserver I manage for a client was having an unusually high number of login attempts and that my site has been having a lot of traffic thanks to SEO. Since the server runs Kerio Connect rather than exim or sendmail, I normally deal with these manually using a for loop and apf. I did, at one point, take notes with the intention of working this into bfd, however the project never came to fruition.

Today is the day I finally put the work into incorporating this into bfd

Details

This was a fairly straightforward process, adapting one of the existing rules files to work with Kerio. Kerio stores it’s ‘failed login‘ information in

    /opt/kerio/mailserver/store/logs/warning.log

Generally you will see either:

    User user@domain.com doesn't exist. Attempt from IP address 1.2.3.4

or

    Invalid password for user user@domain.com. Attempt from IP address 1.2.3.4

Code

The regex for detecting these patterns was simple and is quite effective. Simply place the following code in /usr/local/bfd/rules/kerio_connect or capture using wget

wget -O /usr/local/bfd/rules/kerio_connect http://scripts.apocalypticfail.com/bfd.kerio_connect
# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="20"
 
# file must exist for rule to be active
REQ="/opt/kerio/mailserver/store/logs/warning.log"
 
if [ -f "$REQ" ]; then
 LP="/opt/kerio/mailserver/store/logs/warning.log"
 TLOG_TF="kerio_connect"
 
 ## kerio failed passwords and users that do not exist
 ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep "Attempt from IP" | sed -n 's/.*[Uu]ser\ \([^\ ]*\)\ .*Attempt\ from\ IP\ address\ \(.*\)/\2:\1/p'`
fi

Testing

If you wish to test this out, you can use the following loops. Make certain that you will still have access to the server once the machine you are testing from is locked out. For my own testing, I simply tested from another server – leaving my workstation with access.

Testing failed password attempts, use the following code. Be sure to replace ‘user’ with a username that exists for the kerio_username post variable and your hostname in place of webmail.domain.com:

for i in $(seq 1 100); do echo "Attempt $i"; wget -O - -q --post-data 'kerio_username=user&kerio_password=anything' https://webmail.domain.com/webmail/dologin.php > /dev/null ;done

Testing invalid user attempts, use the following code – again replacing webmail.domain.com with your hostname:

for i in $(seq 1 100); do echo "Attempt $i"; wget -O - -q --post-data 'kerio_username=anybody&kerio_password=anything' https://webmail.domain.com/webmail/dologin.php > /dev/null ;done
VN:F [1.9.13_1145]
Rating: 1.0/5 (1 vote cast)

Posted in installations, scripts | No Comments »