RoundCube Fail2Ban Plugin

RoundCube Fail2Ban Plugin is a small plugin that will display a failed login attempts in your syslog or userlogins log file. Using this information Fail2Ban will be able to block a user for a set amount of time. The best part, the block is happening at the IP level and blocks the IP address, not the user they are trying to log in as.

Download

tgz | zip | git – Version: 1.3 (2015-Sept-28)
tgz | zip | git – Version: 1.2 (2014-Jul-26)
tgz | zip | git – Version: 1.1 (2011-Jun-19)
tgz | zip | git – Version: 1.0 (2009-Jul-09)

Install

Place this plugin folder into the RoundCube plugins directory (roundcube/plugins/)
Confirm the folder is named “fail2ban” after unzipping or untaring the download.
Add fail2ban to $rcmail_config[‘plugins’] in your RoundCube config (config/main.inc.php)

Note: When downloading this plugin via git (http://github.com/mattrude/rc-plugin-fail2ban) you will need to create a directory called fail2ban and place fail2ban.php in there, ignoring the root directory in the downloaded archive. You may also run ‘git clone git://github.com/mattrude/rc-plugin-fail2ban.git fail2ban’ from the plugins directory.

Fail2Ban Setup

fail2ban/jail.conf:

[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
action   = iptables-multiport[name=roundcube, port="http,https"]
logpath  = /var/www/html/roundcube/logs/userlogins

Or oldschool used a configuration simmiler to:

[roundcube]
# 0.3 and up plugin-support

enabled  = true
port     = http,https
filter   = roundcube
action   = iptables-multiport[name=roundcube, port="http,https"]
sendmail-whois[name=RC-Webmail, [email protected], sender=fail2ban]
logpath  = /srv/www/htdocs/webmail/logs/userlogins

fail2ban/filter.d/roundcube.conf:

[Definition]
failregex = FAILED login for .*. from <HOST>
ignoreregex =

Support

If you require support, please post to the comments below.

53 thoughts on “RoundCube Fail2Ban Plugin”

Pingback: [ErrorLog] Client IP Address - RoundCube Webmail Forum
Pingback: [0.3] SMTP and webmail on same server - RoundCube Webmail Forum
bill on March 13, 2010 at 5:01 pm said:

Does this work with 0.3.1 ?

Reply ↓
- Matt Rude on March 17, 2010 at 12:17 am said:
  
  Yep, I’m currently running it on a trunk install of RoundCube.
  
  Reply ↓
bill on March 17, 2010 at 9:57 am said:
I found another way of doing it without the plugin…

actually it turns out 0.3.1 already logs auth errors (i don’t know if previous versions did or not)

i set mine up by editing the files as such…

adjust the roundcube log path depending on your install setup – i installed mine manually i don’t know where it normally installs to

add this to /etc/fail2ban/jail.conf:
```
[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
logpath  = /usr/local/roundcube/logs/errors
```
create new file /etc/fail2ban/filter.d/roundcube.conf:
```
[Definition]
failregex = IMAP Error: Authentication for .* () failed ((?:LOGIN|AUTH)):
ignoreregex =
```
and that is it… roundcube auth failures will be banned using your default settings… or you could adjust the setup in jail.conf with these additions:
```
findtime = x (in seconds)
bantime = x (in seconds)
maxretry = x (attempts)
```
example, to setup a one hour ban for 5 failed login attempts within a 10 minute period: findtime = 600, bantime = 3600, maxretry = 5

also, you can setup rules for repeat offenders such as this (my example bans for 24 hours if a host suffers two 1 hour bans within a 6 hour period – aka they just won’t take a hint):

add this to /etc/fail2ban/jail.conf:
```
[roundcube-24hr]
enabled  = true
port     =  http,https
filter   = roundcube-24hr
logpath  = /var/log/fail2ban.log
maxretry = 2
findtime = 21600
bantime  = 86400
```
create /etc/fail2ban/filter.d/roundcube-24hr.conf:
```
[Definition]
failregex = [roundcube] Ban
ignoreregex =
```
Reply ↓
- bill on March 17, 2010 at 10:27 am said:
  
  i put a post on howtoforge with all the correct syntaxes
  
  http://www.howtoforge.com/forums/showthread.php?t=44168
  
  Reply ↓
phil on March 26, 2010 at 7:37 am said:

Thanks for your work.

Reply ↓
Odd Henriksen on April 17, 2010 at 4:53 pm said:

Thanks for this!

RoundCube’s ‘native’ error log (logs/errors) doesn’t specify the remote host address, at least not when using the settings I require.

I appreciate that you have taken the time to write this small but very useful plugin, and that you chose to share it with the rest of us.

Reply ↓
Al on July 14, 2010 at 2:18 am said:

Hi,
Thanks for the plugin it works but with a small issue.
The IP the log is showing, does not correspond with the actual IP of the PC but the IP of the router, in my local network.

So, the IP banned is the router one.

Can you help with this?. Thanks

Reply ↓
Wahid on August 19, 2010 at 9:45 am said:

Thanks, it works great with RoundCube 0.4Stable and fail2ban 0.8.3-2 under Debian Lenny. Thanks again

Reply ↓

Hi all fix issue

[roundcube-24hr]
enabled  = true
port     =  http,https
action   = iptables-multiport[name=roundcube24, port="http,https",protocol=tcp]
sendmail-whois[name=RC-Webmail, [email protected], [email protected]]
filter   = roundcube-24hr
logpath  = /var/log/fail2ban.log
maxretry = 2
findtime = 21600
bantime  = 86400

thanks all

Reply ↓

Matt Rude on February 4, 2011 at 11:24 pm said:

Thank you

Reply ↓

Thuan N. Tran on September 22, 2010 at 9:40 am said:

I’m using your plugin with rcguard and I modified rcguard a little with your code thus I can use the log output with my csf/lfd config, hope you don’t mind. Here’s the code from line 252 of function verify_recaptcha in rcguard latest version.

Reply ↓
- Matt Rude on February 4, 2011 at 11:22 pm said:
  
  Your are free and welcome to modify the code anyway you wish 🙂
  
  Reply ↓
matt on September 29, 2010 at 8:11 pm said:

I can’t seem to get this plugin to work with .4 what exactly do i need to setup? I have done all the things said in the above messages is there just a folder i can drop in and make it work?

Reply ↓
- Matt Rude on February 4, 2011 at 11:23 pm said:
  
  yup, the plugins folder, but you have to follow the full install for it to work.
  
  Reply ↓
Michael Starks on October 27, 2010 at 10:06 pm said:

I noticed that a failed login with a valid username will produce two log entries: one from the default roundcube log and one from this plugin. On the other hand, a failed login with an invalid username only produces a plugin log. Is this a bug in roundcube, the plugin, or is it expected behavior? Thanks.

Reply ↓
- Matt Rude on November 5, 2010 at 6:38 pm said:
  
  It’s expected behavior. RoundCube doesn’t seem to log failed logins, so it’s pretty hard to block/lockout an IP address without knowing about them.
  
  Reply ↓
Chris Coleman on November 13, 2010 at 10:12 am said:

I had to make modifications to 3 files so that your plugin could work on Debian Lenny (Debian 5).

1. config/main.inc.php
2. /etc/fail2ban/jail.conf the logpath was incorrect. For Debian Lenny it should be
logpath=/usr/share/roundcube/logs/userlogins
3. the source code /usr/share/roundcube/plugins/fail2ban/fail2ban.php
It should have:
chmod(“logs/userlogins”,0600);
before and after the line:
error_log(…………);
Because something sets the permissions on that file after every write to an inaccessible 500 permissions(!!!). Yes, r-x——. We need 600 ie rw——- otherwise we get no info on failed login attempts.

Reply ↓
- Chris Coleman on November 13, 2010 at 10:24 am said:
  
  (continued)
  I didnt include the details for the first file you must modify on Debian Lenny:
  1. /usr/share/roundcube/config/main.inc.php
  You must add these 2 lines for it to work:
  $rcmail_config[‘log_driver’] = ‘file’;
  $rcmail_config[‘syslog_id’] = ’roundcube’;
  
  Reply ↓
  - Matt Rude on February 4, 2011 at 11:23 pm said:
    
    Thank you for adding this.
    
    Reply ↓
DmDS on December 25, 2010 at 6:18 am said:

help please….
“logpath” for windows
c://logs/userlogins
is it right?

Reply ↓
- Matt Rude on February 4, 2011 at 11:18 pm said:
  
  I have no idea, I don’t use Windows
  
  Reply ↓
Chris on February 16, 2011 at 2:33 pm said:

After i have changed the “regex” in the configuration file this plugin works great.

Thanks a lot
Chris

Reply ↓
bill on March 23, 2011 at 2:50 am said:
Previously when I was using 0.3.1 on Ubuntu 9.04, I was able to get fail2ban working with roundcube without this plugin (it was actually logging the correct IP address in the normal roundcube errors log)… as I stated right at the top of this page

Now I am using 0.5 on Ubuntu 10.04, the normal errors log still works for me (ie. It shows the correct IP address of the remote system)

But.. the syntax of the log file changed and I CBF getting my regex to work cos I am not good at it… so I installed this plugin and sure enough I am getting the userlogins error log with the same IP addresses (correct ones)

I have setup fail2ban as per instructions. I can use fail2ban-regex to test my filter and it works. It finds matches in the log file. The jail is setup correctly and starts without errors.

I tested from a remote location today and was never banned after many many attempts… obviously I have done something wrong, or something has changed

jail.conf
```
[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
logpath  = /usr/share/roundcube/logs/userlogins
```
filter.d/roundcube.conf
```
[Definition]
failregex = FAILED login for .*. from 
ignoreregex =
```
Like I said I have tested the regex against the log file and it finds matches. Enough matches that it should have banned (my default setting is 5 attempts in 10 minutes)

All my other jails are tested and working… just this roundcube jail doesn’t work at all

As a side note, here is the output of the log files compared:

logs/errors
```
[23-Mar-2011 07:44:12 +0900]: IMAP Error: Login failed for [email protected] from
203.10.224.93. LOGIN: Login failed. in /usr/share/roundcube/program/include/rcube_imap.php
on line 192 (POST /webmail/?_task=login&_action=login)
```
logs/userlogins
```
[23-Mar-2011 07:44:12 +0900]: FAILED login for bantest from 203.10.224.93
```
If I could get a regex that works on the standard “errors” file, would that work?

I have also noted that both “errors” and “userlogins” have the same owner:group and permissions
```
-rw-r--r-- www-data:www-data
```
So I can’t see why the jail isn’t working please help! 🙂
Reply ↓
- Vidar Normann on June 25, 2011 at 3:00 am said:
  
  Hi bill,
  
  I’m running Roundcube 0.5.3 on Debian Squeeze and these are the changes I made:
  
  Change the jail-definition to look in logs/errors instead of logs/userlogins and change the regexp in the filter to the following:
  .*Login failed for.*. from .
  
  And like you said, there is no need for the plugin any longer, as Roundcube now logs failed logins by default.
  
  Reply ↓
barron thomas on June 8, 2011 at 11:50 pm said:

Woah! I’m really digging the template/theme of this site. It’s simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between user friendliness and visual appearance. I must say you have done a fantastic job with this. Additionally, the blog loads very fast for me on Safari. Excellent Blog!

Reply ↓
Julien on September 1, 2011 at 11:31 am said:

Very nice and elegant way to solve the case where roundcube runs on the same server thanthe IMAP service. Previous courierauth would ban the IP of the server instead of banning the attacker.

Thanks!

Reply ↓
Mic on November 3, 2011 at 5:42 pm said:

Matt,

Would you submit these same patterns on http://www.sshguard.net/support/attacks/submit/ ? We’d be happy to implement them in SSHGuard.

cheers
mic

Reply ↓
Kiro on January 1, 2012 at 7:51 am said:

Many thx for this. It works like a charm !!

Reply ↓
Charles on February 21, 2012 at 5:14 am said:

No luck making it work. Followed every single step. Check and re-checked.

It seems that the plugin is not loaded.

Please advise how to check…

Thanks!

Reply ↓
- Charles on February 21, 2012 at 5:48 am said:
  
  it is working… in main.inc.php there are 2 places to specify the plugins… I need to make both to ‘fail2ban’ before it will load.
  
  Thanks!
  
  Reply ↓
  - Anthony on April 12, 2012 at 6:55 pm said:
    
    I can’t get this to work either, where was the 2nd place you specified it?
    
    I had to create a plugins directory because there was not one – do I have to specify the location of that in the main.inc.php file?
    
    Reply ↓
    - Matt Rude on April 12, 2012 at 8:44 pm said:
      
      Yes, you need to add the “fail2ban” to the $rcmail_config[‘plugins’ option in your main.inc.php file, see: http://trac.roundcube.net/browser/github/config/main.inc.php.dist
      
      Reply ↓
Anthony on April 13, 2012 at 10:23 am said:

I did, but it still doesn’t work – Charles mentioned that he had to put it in two places in the config file so I was wondering what the other places was.

I had to create the /plugins directory as there wasn’t one in the root of roundcube, then I put in your fail2ban in it’s own fail2ban directory in plugins – /var/www/html/roundcube/plugins/fail2ban/fail2ban.php I then added $rcmail_config[‘plugins’] = array(‘fail2ban’); to main.inc.php

I did notice that there was no plugins directory defined in main.inc.php like the log directory $rcmail_config[‘log_dir’] = ‘logs/’;
I tried $rcmail_config[‘plugin_dir’] = ‘plugins/’; but it didn’t seem to do anything

I’m puzzled why there wasn’t a plugins directory to begin with

Of note – I’m not using fail2ban/iptables service, I’m using apf and installing Brute Force Monitor since I can’t find a way to use fail2ban with apf (seems to only work with iptables)

What I do want to use your plugin for is to just get the IP logging in the log file for roundcube and then maybe try to get BFM to monitor it

Reply ↓
Ron on August 6, 2012 at 4:26 am said:

Small fix to the logging, which should not have a fixed date format:
— fail2ban.php.orig 2011-06-18 23:09:28.000000000 -0400
+++ fail2ban.php 2012-08-06 05:16:55.000000000 -0400
@@ -22,7 +22,7 @@
if ($log_config == ‘syslog’){
syslog(LOG_WARNING, $log_entry);
} elseif ($log_config == ‘file’){
– error_log(‘[‘.date(‘d-M-Y H:i:s O’).”]: “.$log_entry.”
“, 3, “logs/userlogins”);
+ error_log(‘[‘.date(rcmail::get_instance()->config->get(‘log_date_format’)).”]: “.$log_entry.”
“, 3, “logs/userlogins”);
} else {
echo ‘WARNING!! The RoundCube Fail2Ban Plugin was unable to retrievethe log driver form the config, please check your config file for log_driver.’;
}

Reply ↓
Peter on August 30, 2012 at 1:36 am said:

I’m trying to use fail2ban with Roundcube 0.8.1. Because roundcube now already logs login errors in the errors log like this:

[30-Aug-2012 12:18:01 +0800]: IMAP Error: Login failed for [email protected] from 1.2.3.4. AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/shared/roundcubemail-0.8.1/program/include/rcube_imap.php on line 191 (POST /?_task=login&_action=login)

I’m not using the Roundcube plugin. However, I’m having trouble getting the regex to grab the IP address. I tried your regex:

.*Login failed for.*. from .

but it wasn’t triggered and I get the following error in /var/log/fail2ban.log at service startup:

2012-08-30 14:31:23,493 fail2ban.filter : ERROR No ‘host’ group in ‘.*Login failed for.*. from .’

If I use

.*Login failed for .*. from

It is triggered but in /var/log/fail2ban.log I see

2012-08-30 14:00:59,709 fail2ban.filter : WARNING Unable to find a corresponding IP address for 1.2.3.4.

(I changed the IP address for the post).

What is wrong please? Thanks

Reply ↓
grinux on September 4, 2012 at 12:10 pm said:

Chech this:
https://grinux.wordpress.com/2012/09/04/make-fail2ban-monitor-roundcube-authentication-access/

Reply ↓

vi /etc/fail2ban/jail.local

[roundcube]
 
enabled = true
port = http,https
filter = roundcube
logpath = /var/log/syslog
bantime  = 31536000
maxretry = 10

vi /etc/fail2ban/filter.d/roundcube.conf

# Fail2Ban configuration file
#
[INCLUDES]
#
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
#
[Definition]
failregex = ^%(__prefix_line)sFAILED login for .* from $
#
ignoreregex =
#
# EOF

Reply ↓

Daniel Plominski on September 21, 2012 at 9:37 pm said:

from HOST $ with

Reply ↓
Daniel Plominski on September 21, 2012 at 9:39 pm said:

stupid WordPress … look at http://www.sbshosting.biz/index.php?id=132#roundcube

Reply ↓
Jose on November 29, 2012 at 5:50 am said:

Hello Matt. Thanks for the work!

I have a little problem for drop the IP connection.

The plugin works fine and adds to iptables the line to block the connection:

Chain fail2ban-roundcube (1 references)
target prot opt source destination
DROP all — x.x.x.x anywhere
RETURN all — anywhere anywhere

.. but I can connect, the system doesn’t drops the connection.

Regards,
Jose.

Reply ↓
Jose on December 18, 2012 at 8:48 am said:

Problem solved. My problem was that I use a custom port for Roundcube (not HTTP, HTTPS) and I added this in config file.

Regards.

Reply ↓

Matt Rude

Matt Rude’s Personal Website

RoundCube Fail2Ban Plugin

Download

Install

Fail2Ban Setup

Support

53 thoughts on “RoundCube Fail2Ban Plugin”

Leave a Reply Cancel reply

Download

Install

Fail2Ban Setup

Support

Share:

53 thoughts on “RoundCube Fail2Ban Plugin”

Leave a Reply Cancel reply