RoundCube Fail2Ban Plugin
RoundCube Fail2Ban Plugin is a small plugin that will display a failed login attempts in your syslog or userlogins log file. Using this information Fail2Ban will be able to block a user for a set amount of time. The best part, the block is happening at the IP level and blocks the IP address, not the user they are trying to log in as.
Download
Install
- Place this plugin folder into the RoundCube plugins directory (roundcube/plugins/)
- Confirm the folder is named “fail2ban” after unzipping or untaring the download.
- Add fail2ban to $rcmail_config['plugins'] in your RoundCube config (config/main.inc.php)
Note: When downloading this plugin via git (http://github.com/mattrude/rc-plugin-fail2ban) you will need to create a directory called fail2ban and place fail2ban.php in there, ignoring the root directory in the downloaded archive. You may also run ‘git clone git://github.com/mattrude/rc-plugin-fail2ban.git fail2ban’ from the plugins directory.
Fail2Ban Setup
fail2ban/jail.conf:
[roundcube]
enabled = true
port = http,https
filter = roundcube
action = iptables-multiport[name=roundcube, port="http,https"]
logpath = /var/www/html/roundcube/logs/userlogins
Or oldschool used a configuration simmiler to:
[roundcube]
# 0.3 and up plugin-support
enabled = true
port = http,https
filter = roundcube
action = iptables-multiport[name=roundcube, port="http,https"]
sendmail-whois[name=RC-Webmail, dest=you@example.com, sender=fail2ban]
logpath = /srv/www/htdocs/webmail/logs/userlogins
fail2ban/filter.d/roundcube.conf:
[Definition]
failregex = FAILED login for .*. from <HOST>
ignoreregex =
Support
If you require support, please post to the comments below.
Does this work with 0.3.1 ?
Yep, I’m currently running it on a trunk install of RoundCube.
I found another way of doing it without the plugin…
actually it turns out 0.3.1 already logs auth errors (i don’t know if previous versions did or not)
i set mine up by editing the files as such…
adjust the roundcube log path depending on your install setup – i installed mine manually i don’t know where it normally installs to
add this to /etc/fail2ban/jail.conf:
create new file /etc/fail2ban/filter.d/roundcube.conf:
and that is it… roundcube auth failures will be banned using your default settings… or you could adjust the setup in jail.conf with these additions:
example, to setup a one hour ban for 5 failed login attempts within a 10 minute period:
also, you can setup rules for repeat offenders such as this (my example bans for 24 hours if a host suffers two 1 hour bans within a 6 hour period – aka they just won’t take a hint):
add this to /etc/fail2ban/jail.conf:
create /etc/fail2ban/filter.d/roundcube-24hr.conf:
i put a post on howtoforge with all the correct syntaxes
http://howtoforge.com/forums/showthread.php?t=44168
Thanks for your work.
Thanks for this!
RoundCube’s ‘native’ error log (logs/errors) doesn’t specify the remote host address, at least not when using the settings I require.
I appreciate that you have taken the time to write this small but very useful plugin, and that you chose to share it with the rest of us.
Hi,
Thanks for the plugin it works but with a small issue.
The IP the log is showing, does not correspond with the actual IP of the PC but the IP of the router, in my local network.
So, the IP banned is the router one.
Can you help with this?. Thanks