bfd script for Kerio Connect
May 9th, 2011
Overview
It came to my attention recently that a mailserver I manage for a client was having an unusually high number of login attempts. Since the server runs Kerio Connect rather than exim or sendmail, I normally deal with these manually using a for loop and apf. I did, at one point, take notes with the intention of working this into bfd, however the project never came to fruition.
Today is the day I finally put the work into incorporating this into bfd
Details
This was a fairly straightforward process, adapting one of the existing rules files to work with Kerio. Kerio stores it’s ‘failed login‘ information in
/opt/kerio/mailserver/store/logs/warning.log
Generally you will see either:
User user@domain.com doesn't exist. Attempt from IP address 1.2.3.4
or
Invalid password for user user@domain.com. Attempt from IP address 1.2.3.4
Code
The regex for detecting these patterns was simple and is quite effective. Simply place the following code in /usr/local/bfd/rules/kerio_connect or capture using wget
wget -O /usr/local/bfd/rules/kerio_connect http://scripts.apocalypticfail.com/bfd.kerio_connect |
# failed logins from a single address before ban # uncomment to override conf.bfd trig value TRIG="20" # file must exist for rule to be active REQ="/opt/kerio/mailserver/store/logs/warning.log" if [ -f "$REQ" ]; then LP="/opt/kerio/mailserver/store/logs/warning.log" TLOG_TF="kerio_connect" ## kerio failed passwords and users that do not exist ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep "Attempt from IP" | sed -n 's/.*[Uu]ser\ \([^\ ]*\)\ .*Attempt\ from\ IP\ address\ \(.*\)/\2:\1/p'` fi |
Testing
If you wish to test this out, you can use the following loops. Make certain that you will still have access to the server once the machine you are testing from is locked out. For my own testing, I simply tested from another server – leaving my workstation with access.
Testing failed password attempts, use the following code. Be sure to replace ‘user’ with a username that exists for the kerio_username post variable and your hostname in place of webmail.domain.com:
for i in $(seq 1 100); do echo "Attempt $i"; wget -O - -q --post-data 'kerio_username=user&kerio_password=anything' https://webmail.domain.com/webmail/dologin.php > /dev/null ;done |
Testing invalid user attempts, use the following code – again replacing webmail.domain.com with your hostname:
for i in $(seq 1 100); do echo "Attempt $i"; wget -O - -q --post-data 'kerio_username=anybody&kerio_password=anything' https://webmail.domain.com/webmail/dologin.php > /dev/null ;done |