You should really keep “Postfixadmin” web admin behind a firewall/localnet only. You’ve been warned..
Edit postfixadmin/login.php (starting @ line 63 or so under Postfix Admin v2.3.8) :
[prism:bash]sudo nano /var/www/html/postfixadmin/login.php[/prism:bash]
[prism:php] if ($result[‘rows’] != 1)
{
$error = 1;
$tMessage = ” . $PALANG[‘pLogin_failed’] . ”;
//Add this line
error_log(‘BAD LOGIN ATTEMPT, username “‘ . $fUsername . ‘”, password “‘ . $fPassword . ‘”‘);
}
}
else
{
$error = 1;
$tMessage = ” . $PALANG[‘pLogin_failed’] . ”;
//Add same line
error_log(‘BAD LOGIN ATTEMPT, username “‘ . $fUsername . ‘”, password “‘ . $fPassword . ‘”‘);
}[/prism:php]
So, two lines added to admin login. Now we need to add that same line once to the users area.
[prism:php] else {
$error = 1;
$tMessage = ” . $PALANG[‘pLogin_failed’] . ”;
//Add same line
error_log(‘BAD LOGIN ATTEMPT, username “‘ . $fUsername . ‘”, password “‘ . $fPassword . ‘”‘);
$tUsername = $fUsername;
}
include (“../templates/header.php”);[/prism:php]
A bad auth simply gets logged to /var/log/apache2/error.log now using php error_log method..
Now FAIL2BAN :
Create a new filter for fail2ban by creating /etc/fail2ban/filter.d/postfixadmin.conf
[prism:apache][postfixadmin]
enabled = true
port = http,https
filter = postfixadmin
logpath = /var/log/apache2/error.log
findtime = 60
maxretry = 3
bantime = 120[/prism:apache]
[prism:bash]sudo service fail2ban restart[/prism:bash]
Your /var/log/apache2/error.log should now start showing things like this (as fail2ban monitors it):
[prism:apache][Fri May 27 12:24:23.858680 2016] [:error] [pid 12927] [client 10.72.244.233:11460] BAD LOGIN ATTEMPT, username “sdsd@dfdf.com”, password “ss”, referer: https://mail.somewhere.tld/postfixadmin/login.php[/prism:apache]
Hope this helps someone. Works fine – tested over some weeks now.