RoundCube Fail2Ban Plugin is a small plugin that will display a failed login attempts in your syslog or userlogins log file. Using this information Fail2Ban will be able to block a user for a set amount of time. The best part, the block is happening at the IP level and blocks the IP address, not the user they are trying to log in as.
Download
Install
- Place this plugin folder into the RoundCube plugins directory (roundcube/plugins/)
- Confirm the folder is named “fail2ban” after unzipping or untaring the download.
- Add fail2ban to $rcmail_config['plugins'] in your RoundCube config (config/main.inc.php)
Note: When downloading this plugin via git (http://github.com/mattrude/rc-plugin-fail2ban) you will need to create a directory called fail2ban and place fail2ban.php in there, ignoring the root directory in the downloaded archive. You may also run ‘git clone git://github.com/mattrude/rc-plugin-fail2ban.git fail2ban’from the plugins directory.
Fail2Ban Setup
fail2ban/jail.conf:
[roundcube] enabled = true port = http,https filter = roundcube action = iptables-multiport[name=roundcube, port="http,https"] logpath = /var/www/html/roundcube/logs/userlogins
Or oldschool used a configuration simmiler to:
[roundcube] # 0.3 and up plugin-support enabled = true port = http,https filter = roundcube action = iptables-multiport[name=roundcube, port="http,https"] sendmail-whois[name=RC-Webmail, dest=you@example.com, sender=fail2ban] logpath = /srv/www/htdocs/webmail/logs/userlogins
fail2ban/filter.d/roundcube.conf:
[Definition] failregex = FAILED login for .*. from <HOST> ignoreregex =
Support
If you require support, please post to the comments below.
Hi, my name is Matt Rude, I’m a 31 year old guy, living in the Twin Cities, Minnesota. I have worked in Information Technology for over 15 years. During that time I have worked for business sectors as diverse as Public Schools to Auto Part to Health Care.
Does this work with 0.3.1 ?
Yep, I’m currently running it on a trunk install of RoundCube.
I found another way of doing it without the plugin…
actually it turns out 0.3.1 already logs auth errors (i don’t know if previous versions did or not)
i set mine up by editing the files as such…
adjust the roundcube log path depending on your install setup – i installed mine manually i don’t know where it normally installs to
add this to /etc/fail2ban/jail.conf:
create new file /etc/fail2ban/filter.d/roundcube.conf:
and that is it… roundcube auth failures will be banned using your default settings… or you could adjust the setup in jail.conf with these additions:
example, to setup a one hour ban for 5 failed login attempts within a 10 minute period: findtime = 600, bantime = 3600, maxretry = 5
also, you can setup rules for repeat offenders such as this (my example bans for 24 hours if a host suffers two 1 hour bans within a 6 hour period – aka they just won’t take a hint):
add this to /etc/fail2ban/jail.conf:
create /etc/fail2ban/filter.d/roundcube-24hr.conf:
i put a post on howtoforge with all the correct syntaxes
http://howtoforge.com/forums/showthread.php?t=44168
Thanks for your work.
Thanks for this!
RoundCube’s ‘native’error log (logs/errors) doesn’t specify the remote host address, at least not when using the settings I require.
I appreciate that you have taken the time to write this small but very useful plugin, and that you chose to share it with the rest of us.
Hi,
Thanks for the plugin it works but with a small issue.
The IP the log is showing, does not correspond with the actual IP of the PC but the IP of the router, in my local network.
So, the IP banned is the router one.
Can you help with this?. Thanks
Thanks, it works great with RoundCube 0.4Stable and fail2ban 0.8.3-2 under Debian Lenny. Thanks again
Hi all fix issue
thanks all
Thank you
I’m using your plugin with rcguard and I modified rcguard a little with your code thus I can use the log output with my csf/lfd config, hope you don’t mind. Here’s the code http://pastebin.com/M868wWL0 from line 252 of function verify_recaptcha in rcguard latest version.
Your are free and welcome to modify the code anyway you wish
I can’t seem to get this plugin to work with .4 what exactly do i need to setup? I have done all the things said in the above messages is there just a folder i can drop in and make it work?
yup, the plugins folder, but you have to follow the full install for it to work.
I noticed that a failed login with a valid username will produce two log entries: one from the default roundcube log and one from this plugin. On the other hand, a failed login with an invalid username only produces a plugin log. Is this a bug in roundcube, the plugin, or is it expected behavior? Thanks.
It’s expected behavior. RoundCube doesn’t seem to log failed logins, so it’s pretty hard to block/lockout an IP address without knowing about them.
I had to make modifications to 3 files so that your plugin could work on Debian Lenny (Debian 5).
1. config/main.inc.php
2. /etc/fail2ban/jail.conf the logpath was incorrect. For Debian Lenny it should be
logpath=/usr/share/roundcube/logs/userlogins
3. the source code /usr/share/roundcube/plugins/fail2ban/fail2ban.php
It should have:
chmod(“logs/userlogins”,0600);
before and after the line:
error_log(…………);
Because something sets the permissions on that file after every write to an inaccessible 500 permissions(!!!). Yes, r-x——. We need 600 ie rw——- otherwise we get no info on failed login attempts.
(continued)
I didnt include the details for the first file you must modify on Debian Lenny:
1. /usr/share/roundcube/config/main.inc.php
You must add these 2 lines for it to work:
$rcmail_config['log_driver'] = ‘file’;
$rcmail_config['syslog_id'] = ’roundcube’;
Thank you for adding this.
help please….
“logpath” for windows
c://logs/userlogins
is it right?
I have no idea, I don’t use Windows
After i have changed the “regex” in the configuration file this plugin works great.
Thanks a lot
Chris
Previously when I was using 0.3.1 on Ubuntu 9.04, I was able to get fail2ban working with roundcube without this plugin (it was actually logging the correct IP address in the normal roundcube errors log)… as I stated right at the top of this page
Now I am using 0.5 on Ubuntu 10.04, the normal errors log still works for me (ie. It shows the correct IP address of the remote system)
But.. the syntax of the log file changed and I CBF getting my regex to work cos I am not good at it… so I installed this plugin and sure enough I am getting the userlogins error log with the same IP addresses (correct ones)
I have setup fail2ban as per instructions. I can use fail2ban-regex to test my filter and it works. It finds matches in the log file. The jail is setup correctly and starts without errors.
I tested from a remote location today and was never banned after many many attempts… obviously I have done something wrong, or something has changed
jail.conf
filter.d/roundcube.conf
Like I said I have tested the regex against the log file and it finds matches. Enough matches that it should have banned (my default setting is 5 attempts in 10 minutes)
All my other jails are tested and working… just this roundcube jail doesn’t work at all
As a side note, here is the output of the log files compared:
logs/errors
logs/userlogins
If I could get a regex that works on the standard “errors” file, would that work?
I have also noted that both “errors” and “userlogins” have the same owner:group and permissions
So I can’t see why the jail isn’t working please help!
Hi bill,
I’m running Roundcube 0.5.3 on Debian Squeeze and these are the changes I made:
Change the jail-definition to look in logs/errors instead of logs/userlogins and change the regexp in the filter to the following:
.*Login failed for.*. from .
And like you said, there is no need for the plugin any longer, as Roundcube now logs failed logins by default.
Woah! I’m really digging the template/theme of this site. It’s simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between user friendliness and visual appearance. I must say you have done a fantastic job with this. Additionally, the blog loads very fast for me on Safari. Excellent Blog!
Very nice and elegant way to solve the case where roundcube runs on the same server thanthe IMAP service. Previous courierauth would ban the IP of the server instead of banning the attacker.
Thanks!
Matt,
Would you submit these same patterns on http://www.sshguard.net/support/attacks/submit/ ? We’d be happy to implement them in SSHGuard.
cheers
mic
Many thx for this. It works like a charm !!