Comments on: RoundCube Fail2Ban Plugin

By: Anthony

Anthony — Fri, 13 Apr 2012 15:23:43 +0000

I did, but it still doesn’t work – Charles mentioned that he had to put it in two places in the config file so I was wondering what the other places was.

I had to create the /plugins directory as there wasn’t one in the root of roundcube, then I put in your fail2ban in it’s own fail2ban directory in plugins – /var/www/html/roundcube/plugins/fail2ban/fail2ban.php I then added $rcmail_config['plugins'] = array(‘fail2ban’); to main.inc.php

I did notice that there was no plugins directory defined in main.inc.php like the log directory $rcmail_config['log_dir'] = ‘logs/’;
I tried $rcmail_config['plugin_dir'] = ‘plugins/’; but it didn’t seem to do anything

I’m puzzled why there wasn’t a plugins directory to begin with

Of note – I’m not using fail2ban/iptables service, I’m using apf and installing Brute Force Monitor since I can’t find a way to use fail2ban with apf (seems to only work with iptables)

What I do want to use your plugin for is to just get the IP logging in the log file for roundcube and then maybe try to get BFM to monitor it

By: Matt Rude

Matt Rude — Fri, 13 Apr 2012 01:44:57 +0000

Yes, you need to add the “fail2ban” to the $rcmail_config[‘plugins’ option in your main.inc.php file, see: http://trac.roundcube.net/browser/trunk/roundcubemail/config/main.inc.php.dist#L364

By: Anthony

Anthony — Thu, 12 Apr 2012 23:55:42 +0000

I can’t get this to work either, where was the 2nd place you specified it?

I had to create a plugins directory because there was not one – do I have to specify the location of that in the main.inc.php file?

By: Charles

Charles — Tue, 21 Feb 2012 11:48:52 +0000

it is working… in main.inc.php there are 2 places to specify the plugins… I need to make both to ‘fail2ban’ before it will load.

Thanks!

By: Charles

Charles — Tue, 21 Feb 2012 11:14:33 +0000

No luck making it work. Followed every single step. Check and re-checked.

It seems that the plugin is not loaded.

Please advise how to check…

Thanks!

By: Kiro

Kiro — Sun, 01 Jan 2012 13:51:18 +0000

Many thx for this. It works like a charm !!

By: Mic

Mic — Thu, 03 Nov 2011 22:42:26 +0000

Matt,

Would you submit these same patterns on http://www.sshguard.net/support/attacks/submit/ ? We’d be happy to implement them in SSHGuard.

cheers
mic

By: Julien

Julien — Thu, 01 Sep 2011 16:31:36 +0000

Very nice and elegant way to solve the case where roundcube runs on the same server thanthe IMAP service. Previous courierauth would ban the IP of the server instead of banning the attacker.

Thanks!

By: Vidar Normann

Vidar Normann — Sat, 25 Jun 2011 08:00:52 +0000

Hi bill,

I’m running Roundcube 0.5.3 on Debian Squeeze and these are the changes I made:

Change the jail-definition to look in logs/errors instead of logs/userlogins and change the regexp in the filter to the following:
.*Login failed for.*. from .

And like you said, there is no need for the plugin any longer, as Roundcube now logs failed logins by default.

By: barron thomas

barron thomas — Thu, 09 Jun 2011 04:50:52 +0000

Woah! I’m really digging the template/theme of this site. It’s simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between user friendliness and visual appearance. I must say you have done a fantastic job with this. Additionally, the blog loads very fast for me on Safari. Excellent Blog!

By: bill

bill — Wed, 23 Mar 2011 07:50:23 +0000

Previously when I was using 0.3.1 on Ubuntu 9.04, I was able to get fail2ban working with roundcube without this plugin (it was actually logging the correct IP address in the normal roundcube errors log)… as I stated right at the top of this page

Now I am using 0.5 on Ubuntu 10.04, the normal errors log still works for me (ie. It shows the correct IP address of the remote system)

But.. the syntax of the log file changed and I CBF getting my regex to work cos I am not good at it… so I installed this plugin and sure enough I am getting the userlogins error log with the same IP addresses (correct ones)

I have setup fail2ban as per instructions. I can use fail2ban-regex to test my filter and it works. It finds matches in the log file. The jail is setup correctly and starts without errors.

I tested from a remote location today and was never banned after many many attempts… obviously I have done something wrong, or something has changed

jail.conf

[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
logpath  = /usr/share/roundcube/logs/userlogins

filter.d/roundcube.conf

[Definition]
failregex = FAILED login for .*. from 
ignoreregex =

Like I said I have tested the regex against the log file and it finds matches. Enough matches that it should have banned (my default setting is 5 attempts in 10 minutes)

All my other jails are tested and working… just this roundcube jail doesn’t work at all

As a side note, here is the output of the log files compared:

logs/errors

[23-Mar-2011 07:44:12 +0900]: IMAP Error: Login failed for bantest@ictnt.com from
203.10.224.93. LOGIN: Login failed. in /usr/share/roundcube/program/include/rcube_imap.php
on line 192 (POST /webmail/?_task=login&_action=login)

logs/userlogins

[23-Mar-2011 07:44:12 +0900]: FAILED login for bantest from 203.10.224.93

If I could get a regex that works on the standard “errors” file, would that work?

I have also noted that both “errors” and “userlogins” have the same owner:group and permissions

-rw-r--r-- www-data:www-data

So I can’t see why the jail isn’t working please help!

By: Chris

Chris — Wed, 16 Feb 2011 20:33:15 +0000

After i have changed the “regex” in the configuration file this plugin works great.

Thanks a lot
Chris

By: Matt Rude

Matt Rude — Sat, 05 Feb 2011 05:24:04 +0000

Thank you

By: Matt Rude

Matt Rude — Sat, 05 Feb 2011 05:23:43 +0000

Thank you for adding this.

By: Matt Rude

Matt Rude — Sat, 05 Feb 2011 05:23:22 +0000

yup, the plugins folder, but you have to follow the full install for it to work.

By: Matt Rude

Matt Rude — Sat, 05 Feb 2011 05:22:23 +0000

Your are free and welcome to modify the code anyway you wish

By: Matt Rude

Matt Rude — Sat, 05 Feb 2011 05:18:25 +0000

I have no idea, I don’t use Windows

By: DmDS

DmDS — Sat, 25 Dec 2010 12:18:23 +0000

help please….
“logpath” for windows
c://logs/userlogins
is it right?

By: Chris Coleman

Chris Coleman — Sat, 13 Nov 2010 16:24:42 +0000

(continued)
I didnt include the details for the first file you must modify on Debian Lenny:
1. /usr/share/roundcube/config/main.inc.php
You must add these 2 lines for it to work:
$rcmail_config['log_driver'] = ‘file’;
$rcmail_config['syslog_id'] = ’roundcube’;

By: Chris Coleman

Chris Coleman — Sat, 13 Nov 2010 16:12:40 +0000

I had to make modifications to 3 files so that your plugin could work on Debian Lenny (Debian 5).

1. config/main.inc.php
2. /etc/fail2ban/jail.conf the logpath was incorrect. For Debian Lenny it should be
logpath=/usr/share/roundcube/logs/userlogins
3. the source code /usr/share/roundcube/plugins/fail2ban/fail2ban.php
It should have:
chmod(“logs/userlogins”,0600);
before and after the line:
error_log(…………);
Because something sets the permissions on that file after every write to an inaccessible 500 permissions(!!!). Yes, r-x——. We need 600 ie rw——- otherwise we get no info on failed login attempts.

By: Matt Rude

Matt Rude — Fri, 05 Nov 2010 23:38:29 +0000

It’s expected behavior. RoundCube doesn’t seem to log failed logins, so it’s pretty hard to block/lockout an IP address without knowing about them.

By: Michael Starks

Michael Starks — Thu, 28 Oct 2010 03:06:50 +0000

I noticed that a failed login with a valid username will produce two log entries: one from the default roundcube log and one from this plugin. On the other hand, a failed login with an invalid username only produces a plugin log. Is this a bug in roundcube, the plugin, or is it expected behavior? Thanks.

By: matt

matt — Thu, 30 Sep 2010 01:11:37 +0000

I can’t seem to get this plugin to work with .4 what exactly do i need to setup? I have done all the things said in the above messages is there just a folder i can drop in and make it work?

By: Thuan N. Tran

Thuan N. Tran — Wed, 22 Sep 2010 14:40:05 +0000

I’m using your plugin with rcguard and I modified rcguard a little with your code thus I can use the log output with my csf/lfd config, hope you don’t mind. Here’s the code http://pastebin.com/M868wWL0 from line 252 of function verify_recaptcha in rcguard latest version.

By: ryouji

ryouji — Tue, 07 Sep 2010 16:41:57 +0000

Hi all fix issue

[roundcube-24hr]
enabled  = true
port     =  http,https
action   = iptables-multiport[name=roundcube24, port="http,https",protocol=tcp]
sendmail-whois[name=RC-Webmail, dest=root@localhost, sender=fail2ban@localhost]
filter   = roundcube-24hr
logpath  = /var/log/fail2ban.log
maxretry = 2
findtime = 21600
bantime  = 86400

thanks all

By: Wahid

Wahid — Thu, 19 Aug 2010 14:45:46 +0000

Thanks, it works great with RoundCube 0.4Stable and fail2ban 0.8.3-2 under Debian Lenny. Thanks again

By: Al

Al — Wed, 14 Jul 2010 07:18:51 +0000

Hi,
Thanks for the plugin it works but with a small issue.
The IP the log is showing, does not correspond with the actual IP of the PC but the IP of the router, in my local network.

So, the IP banned is the router one.

Can you help with this?. Thanks

By: Odd Henriksen

Odd Henriksen — Sat, 17 Apr 2010 21:53:29 +0000

Thanks for this!

RoundCube’s ‘native’ error log (logs/errors) doesn’t specify the remote host address, at least not when using the settings I require.

I appreciate that you have taken the time to write this small but very useful plugin, and that you chose to share it with the rest of us.

By: phil

phil — Fri, 26 Mar 2010 12:37:22 +0000

Thanks for your work.

By: bill

bill — Wed, 17 Mar 2010 15:27:22 +0000

i put a post on howtoforge with all the correct syntaxes

http://howtoforge.com/forums/showthread.php?t=44168

By: bill

bill — Wed, 17 Mar 2010 14:57:22 +0000

I found another way of doing it without the plugin... actually it turns out 0.3.1 already logs auth errors (i don't know if previous versions did or not) i set mine up by editing the files as such... adjust the roundcube log path depending on your install setup - i installed mine manually i don't know where it normally installs to add this to /etc/fail2ban/jail.conf:

[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
logpath  = /usr/local/roundcube/logs/errors

create new file /etc/fail2ban/filter.d/roundcube.conf:

[Definition]
failregex = IMAP Error: Authentication for .* () failed ((?:LOGIN|AUTH)):
ignoreregex =

and that is it... roundcube auth failures will be banned using your default settings... or you could adjust the setup in jail.conf with these additions:

findtime = x (in seconds)
bantime = x (in seconds)
maxretry = x (attempts)

example, to setup a one hour ban for 5 failed login attempts within a 10 minute period: findtime = 600, bantime = 3600, maxretry = 5 also, you can setup rules for repeat offenders such as this (my example bans for 24 hours if a host suffers two 1 hour bans within a 6 hour period - aka they just won't take a hint): add this to /etc/fail2ban/jail.conf:

[roundcube-24hr]
enabled  = true
port     =  http,https
filter   = roundcube-24hr
logpath  = /var/log/fail2ban.log
maxretry = 2
findtime = 21600
bantime  = 86400

create /etc/fail2ban/filter.d/roundcube-24hr.conf:

[Definition]
failregex = [roundcube] Ban
ignoreregex =

By: Matt Rude

Matt Rude — Wed, 17 Mar 2010 05:17:57 +0000

Yep, I’m currently running it on a trunk install of RoundCube.

By: bill

bill — Sat, 13 Mar 2010 23:01:14 +0000

Does this work with 0.3.1 ?

By: [0.3] SMTP and webmail on same server - RoundCube Webmail Forum

[0.3] SMTP and webmail on same server - RoundCube Webmail Forum — Sat, 19 Sep 2009 14:16:43 +0000

[...] for your help. I haven't been able to find that plugin. However, I came acros this one: RoundCube Fail2Ban Plugin – Matt Rude . Does this plugin do what I want: Block the external IP of the client that is connecting and not [...]

By: [ErrorLog] Client IP Address - RoundCube Webmail Forum

[ErrorLog] Client IP Address - RoundCube Webmail Forum — Wed, 19 Aug 2009 15:00:26 +0000

[...] Fail2Ban Plugin Check out the RoundCube Fail2Ban Plugin also as a quick and easy way to do [...]