RoundCube Fail2Ban Plugin

RoundCube Fail2Ban Plugin is a small plugin that will display a failed login attempts in your syslog or userlogins log file. Using this information Fail2Ban will be able to block a user for a set amount of time.  The best part, the block is happening at the IP level and blocks the IP address, not the user they are trying to log in as.

Download

  • tgz | zip | git – Version: 1.3 (2015-Sept-28)
  • tgz | zip | git – Version: 1.2 (2014-Jul-26)
  • tgz | zip | git – Version: 1.1 (2011-Jun-19)
  • tgz | zip | git – Version: 1.0 (2009-Jul-09)

Install

  • Place this plugin folder into the RoundCube plugins directory (roundcube/plugins/)
  • Confirm the folder is named “fail2ban” after unzipping or untaring the download.
  • Add fail2ban to $rcmail_config[‘plugins’] in your RoundCube config (config/main.inc.php)

Note: When downloading this plugin via git (http://github.com/mattrude/rc-plugin-fail2ban) you will need to create a directory called fail2ban and place fail2ban.php in there, ignoring the root directory in the downloaded archive.  You may also run ‘git clone git://github.com/mattrude/rc-plugin-fail2ban.git fail2ban’ from the plugins directory.

Fail2Ban Setup

fail2ban/jail.conf:

[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
action   = iptables-multiport[name=roundcube, port="http,https"]
logpath  = /var/www/html/roundcube/logs/userlogins

Or oldschool used a configuration simmiler to:

[roundcube]
# 0.3 and up plugin-support

enabled  = true
port     = http,https
filter   = roundcube
action   = iptables-multiport[name=roundcube, port="http,https"]
sendmail-whois[name=RC-Webmail, dest=you@example.com, sender=fail2ban]
logpath  = /srv/www/htdocs/webmail/logs/userlogins

fail2ban/filter.d/roundcube.conf:

[Definition]
failregex = FAILED login for .*. from <HOST>
ignoreregex =

Support

If you require support, please post to the comments below.

52 thoughts on “RoundCube Fail2Ban Plugin

  1. Pingback: [ErrorLog] Client IP Address - RoundCube Webmail Forum

  2. Pingback: [0.3] SMTP and webmail on same server - RoundCube Webmail Forum

  3. I found another way of doing it without the plugin…

    actually it turns out 0.3.1 already logs auth errors (i don’t know if previous versions did or not)

    i set mine up by editing the files as such…

    adjust the roundcube log path depending on your install setup – i installed mine manually i don’t know where it normally installs to

    add this to /etc/fail2ban/jail.conf:

    [roundcube]
    enabled  = true
    port     = http,https
    filter   = roundcube
    logpath  = /usr/local/roundcube/logs/errors

    create new file /etc/fail2ban/filter.d/roundcube.conf:

    [Definition]
    failregex = IMAP Error: Authentication for .* () failed ((?:LOGIN|AUTH)):
    ignoreregex =

    and that is it… roundcube auth failures will be banned using your default settings… or you could adjust the setup in jail.conf with these additions:

    findtime = x (in seconds)
    bantime = x (in seconds)
    maxretry = x (attempts)

    example, to setup a one hour ban for 5 failed login attempts within a 10 minute period: findtime = 600, bantime = 3600, maxretry = 5

    also, you can setup rules for repeat offenders such as this (my example bans for 24 hours if a host suffers two 1 hour bans within a 6 hour period – aka they just won’t take a hint):

    add this to /etc/fail2ban/jail.conf:

    [roundcube-24hr]
    enabled  = true
    port     =  http,https
    filter   = roundcube-24hr
    logpath  = /var/log/fail2ban.log
    maxretry = 2
    findtime = 21600
    bantime  = 86400

    create /etc/fail2ban/filter.d/roundcube-24hr.conf:

    [Definition]
    failregex = [roundcube] Ban
    ignoreregex =
  4. Thanks for this!

    RoundCube’s ‘native’ error log (logs/errors) doesn’t specify the remote host address, at least not when using the settings I require.

    I appreciate that you have taken the time to write this small but very useful plugin, and that you chose to share it with the rest of us.

  5. Hi,
    Thanks for the plugin it works but with a small issue.
    The IP the log is showing, does not correspond with the actual IP of the PC but the IP of the router, in my local network.

    So, the IP banned is the router one.

    Can you help with this?. Thanks

  6. Hi all fix issue

    [roundcube-24hr]
    enabled  = true
    port     =  http,https
    action   = iptables-multiport[name=roundcube24, port="http,https",protocol=tcp]
    sendmail-whois[name=RC-Webmail, dest=root@localhost, sender=fail2ban@localhost]
    filter   = roundcube-24hr
    logpath  = /var/log/fail2ban.log
    maxretry = 2
    findtime = 21600
    bantime  = 86400
    

    thanks all

  7. I’m using your plugin with rcguard and I modified rcguard a little with your code thus I can use the log output with my csf/lfd config, hope you don’t mind. Here’s the code from line 252 of function verify_recaptcha in rcguard latest version.

  8. I can’t seem to get this plugin to work with .4 what exactly do i need to setup? I have done all the things said in the above messages is there just a folder i can drop in and make it work?

  9. I noticed that a failed login with a valid username will produce two log entries: one from the default roundcube log and one from this plugin. On the other hand, a failed login with an invalid username only produces a plugin log. Is this a bug in roundcube, the plugin, or is it expected behavior? Thanks.

  10. I had to make modifications to 3 files so that your plugin could work on Debian Lenny (Debian 5).

    1. config/main.inc.php
    2. /etc/fail2ban/jail.conf the logpath was incorrect. For Debian Lenny it should be
    logpath=/usr/share/roundcube/logs/userlogins
    3. the source code /usr/share/roundcube/plugins/fail2ban/fail2ban.php
    It should have:
    chmod(“logs/userlogins”,0600);
    before and after the line:
    error_log(…………);
    Because something sets the permissions on that file after every write to an inaccessible 500 permissions(!!!). Yes, r-x——. We need 600 ie rw——- otherwise we get no info on failed login attempts.

    • (continued)
      I didnt include the details for the first file you must modify on Debian Lenny:
      1. /usr/share/roundcube/config/main.inc.php
      You must add these 2 lines for it to work:
      $rcmail_config[‘log_driver’] = ‘file’;
      $rcmail_config[‘syslog_id’] = ’roundcube’;

  11. Previously when I was using 0.3.1 on Ubuntu 9.04, I was able to get fail2ban working with roundcube without this plugin (it was actually logging the correct IP address in the normal roundcube errors log)… as I stated right at the top of this page

    Now I am using 0.5 on Ubuntu 10.04, the normal errors log still works for me (ie. It shows the correct IP address of the remote system)

    But.. the syntax of the log file changed and I CBF getting my regex to work cos I am not good at it… so I installed this plugin and sure enough I am getting the userlogins error log with the same IP addresses (correct ones)

    I have setup fail2ban as per instructions. I can use fail2ban-regex to test my filter and it works. It finds matches in the log file. The jail is setup correctly and starts without errors.

    I tested from a remote location today and was never banned after many many attempts… obviously I have done something wrong, or something has changed

    jail.conf

    [roundcube]
    enabled  = true
    port     = http,https
    filter   = roundcube
    logpath  = /usr/share/roundcube/logs/userlogins

    filter.d/roundcube.conf

    [Definition]
    failregex = FAILED login for .*. from 
    ignoreregex =

    Like I said I have tested the regex against the log file and it finds matches. Enough matches that it should have banned (my default setting is 5 attempts in 10 minutes)

    All my other jails are tested and working… just this roundcube jail doesn’t work at all

    As a side note, here is the output of the log files compared:

    logs/errors

    [23-Mar-2011 07:44:12 +0900]: IMAP Error: Login failed for bantest@ictnt.com from
    203.10.224.93. LOGIN: Login failed. in /usr/share/roundcube/program/include/rcube_imap.php
    on line 192 (POST /webmail/?_task=login&_action=login)

    logs/userlogins

    [23-Mar-2011 07:44:12 +0900]: FAILED login for bantest from 203.10.224.93

    If I could get a regex that works on the standard “errors” file, would that work?

    I have also noted that both “errors” and “userlogins” have the same owner:group and permissions

    -rw-r--r-- www-data:www-data

    So I can’t see why the jail isn’t working please help! 🙂

    • Hi bill,

      I’m running Roundcube 0.5.3 on Debian Squeeze and these are the changes I made:

      Change the jail-definition to look in logs/errors instead of logs/userlogins and change the regexp in the filter to the following:
      .*Login failed for.*. from .

      And like you said, there is no need for the plugin any longer, as Roundcube now logs failed logins by default.

  12. Woah! I’m really digging the template/theme of this site. It’s simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between user friendliness and visual appearance. I must say you have done a fantastic job with this. Additionally, the blog loads very fast for me on Safari. Excellent Blog!

  13. Very nice and elegant way to solve the case where roundcube runs on the same server thanthe IMAP service. Previous courierauth would ban the IP of the server instead of banning the attacker.

    Thanks!

  14. No luck making it work. Followed every single step. Check and re-checked.

    It seems that the plugin is not loaded.

    Please advise how to check…

    Thanks!

  15. I did, but it still doesn’t work – Charles mentioned that he had to put it in two places in the config file so I was wondering what the other places was.

    I had to create the /plugins directory as there wasn’t one in the root of roundcube, then I put in your fail2ban in it’s own fail2ban directory in plugins – /var/www/html/roundcube/plugins/fail2ban/fail2ban.php I then added $rcmail_config[‘plugins’] = array(‘fail2ban’); to main.inc.php

    I did notice that there was no plugins directory defined in main.inc.php like the log directory $rcmail_config[‘log_dir’] = ‘logs/’;
    I tried $rcmail_config[‘plugin_dir’] = ‘plugins/’; but it didn’t seem to do anything

    I’m puzzled why there wasn’t a plugins directory to begin with

    Of note – I’m not using fail2ban/iptables service, I’m using apf and installing Brute Force Monitor since I can’t find a way to use fail2ban with apf (seems to only work with iptables)

    What I do want to use your plugin for is to just get the IP logging in the log file for roundcube and then maybe try to get BFM to monitor it

  16. Small fix to the logging, which should not have a fixed date format:
    — fail2ban.php.orig 2011-06-18 23:09:28.000000000 -0400
    +++ fail2ban.php 2012-08-06 05:16:55.000000000 -0400
    @@ -22,7 +22,7 @@
    if ($log_config == ‘syslog’){
    syslog(LOG_WARNING, $log_entry);
    } elseif ($log_config == ‘file’){
    – error_log(‘[‘.date(‘d-M-Y H:i:s O’).”]: “.$log_entry.”
    “, 3, “logs/userlogins”);
    + error_log(‘[‘.date(rcmail::get_instance()->config->get(‘log_date_format’)).”]: “.$log_entry.”
    “, 3, “logs/userlogins”);
    } else {
    echo ‘WARNING!! The RoundCube Fail2Ban Plugin was unable to retrievethe log driver form the config, please check your config file for log_driver.’;
    }

  17. I’m trying to use fail2ban with Roundcube 0.8.1. Because roundcube now already logs login errors in the errors log like this:

    [30-Aug-2012 12:18:01 +0800]: IMAP Error: Login failed for john@domain.com from 1.2.3.4. AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/shared/roundcubemail-0.8.1/program/include/rcube_imap.php on line 191 (POST /?_task=login&_action=login)

    I’m not using the Roundcube plugin. However, I’m having trouble getting the regex to grab the IP address. I tried your regex:

    .*Login failed for.*. from .

    but it wasn’t triggered and I get the following error in /var/log/fail2ban.log at service startup:

    2012-08-30 14:31:23,493 fail2ban.filter : ERROR No ‘host’ group in ‘.*Login failed for.*. from .’

    If I use

    .*Login failed for .*. from

    It is triggered but in /var/log/fail2ban.log I see

    2012-08-30 14:00:59,709 fail2ban.filter : WARNING Unable to find a corresponding IP address for 1.2.3.4.

    (I changed the IP address for the post).

    What is wrong please? Thanks

  18. vi /etc/fail2ban/jail.local

    [roundcube]
     
    enabled = true
    port = http,https
    filter = roundcube
    logpath = /var/log/syslog
    bantime  = 31536000
    maxretry = 10

    vi /etc/fail2ban/filter.d/roundcube.conf

    # Fail2Ban configuration file
    #
    [INCLUDES]
    #
    # Read common prefixes. If any customizations available -- read them from
    # common.local
    before = common.conf
    #
    [Definition]
    failregex = ^%(__prefix_line)sFAILED login for .* from $
    #
    ignoreregex =
    #
    # EOF
    
  19. Hello Matt. Thanks for the work!

    I have a little problem for drop the IP connection.

    The plugin works fine and adds to iptables the line to block the connection:

    Chain fail2ban-roundcube (1 references)
    target prot opt source destination
    DROP all — x.x.x.x anywhere
    RETURN all — anywhere anywhere

    .. but I can connect, the system doesn’t drops the connection.

    Regards,
    Jose.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.