HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Have fail2ban monitor Roundcube authentication access errors (http://www.howtoforge.com/forums/showthread.php?t=44168)

billcouper81 17th March 2010 17:26

Have fail2ban monitor Roundcube authentication access errors
 
I was searching on the net how I could use fail2ban for Roundcube webmail and I found many posts that had bits and pieces of information, but nothing complete... this works with the base installation of roundcube without any plugins

I have this setup with roundcube 0.3.1 and it works fine

Firstly, any IP that has 5 failed connection attempts within 10 minutes will get a 1 hour ban.... repeat offenders (2x 1hr bans within a 6hr period) will be banned for 24 hours...

adjust the roundcube log file path depending on your installation setup


add this to /etc/fail2ban/jail.conf:
Code:

[roundcube]
enabled  = true
port    = http,https
filter  = roundcube
logpath  = /usr/local/roundcube/logs/errors
maxretry = 5
findtime = 600
bantime = 3600

[roundcube-24hr]
enabled = true
port = http,https
filter = roundcube-24hr
logpath = /var/log/fail2ban.log
maxretry = 2
findtime = 21600
bantime = 86400


create new file /etc/fail2ban/filter.d/roundcube.conf
Code:

[Definition]
failregex = IMAP Error: Authentication for .* \(<HOST>\) failed \((?:LOGIN|AUTH)\):
ignoreregex =


create new file /etc/fail2ban/filter.d/roundcube-24hr.conf
Code:

[Definition]
failregex = \[roundcube\] Ban <HOST>
ignoreregex =

you can use the setup style of the 24hr rule above to have cascading bans that increase in length the more repeats are made.. not just for roundcube obviously, but for anything fail2ban is monitoring...

mastermind 17th April 2010 14:57

In my standard install of RoundCube 0.3.1, the remote client host is not logged to 'logs/errors'. It says (for example):
Code:

[17-Apr-2010 13:52:36 +0200]: IMAP Error: Authentication for <username> failed (LOGIN): "a001 NO Authentication failed." (POST /?_task=&_action=login)
Instead of trying to find a way to amend the log format, I have found it sufficient to use the roundcube-fail2ban plugin (by Matt Rude).

wahid 19th August 2010 17:49

For info: the roundcube-fail2ban plugin (by Matt Rude) works also out-of-th-box with Roundcube 0.4 Stable, fail2ban 0.8.3 under Debian Lenny.


All times are GMT +2. The time now is 21:12.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.