Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 17th March 2010, 16:26
billcouper81 billcouper81 is offline
Junior Member
 
Join Date: Dec 2009
Posts: 29
Thanks: 2
Thanked 4 Times in 3 Posts
Default Have fail2ban monitor Roundcube authentication access errors

I was searching on the net how I could use fail2ban for Roundcube webmail and I found many posts that had bits and pieces of information, but nothing complete... this works with the base installation of roundcube without any plugins

I have this setup with roundcube 0.3.1 and it works fine

Firstly, any IP that has 5 failed connection attempts within 10 minutes will get a 1 hour ban.... repeat offenders (2x 1hr bans within a 6hr period) will be banned for 24 hours...

adjust the roundcube log file path depending on your installation setup


add this to /etc/fail2ban/jail.conf:
Code:
[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
logpath  = /usr/local/roundcube/logs/errors
maxretry = 5
findtime = 600
bantime = 3600

[roundcube-24hr]
enabled = true
port = http,https
filter = roundcube-24hr
logpath = /var/log/fail2ban.log
maxretry = 2
findtime = 21600
bantime = 86400

create new file /etc/fail2ban/filter.d/roundcube.conf
Code:
[Definition]
failregex = IMAP Error: Authentication for .* \(<HOST>\) failed \((?:LOGIN|AUTH)\):
ignoreregex =

create new file /etc/fail2ban/filter.d/roundcube-24hr.conf
Code:
[Definition]
failregex = \[roundcube\] Ban <HOST>
ignoreregex =
you can use the setup style of the 24hr rule above to have cascading bans that increase in length the more repeats are made.. not just for roundcube obviously, but for anything fail2ban is monitoring...
Reply With Quote
The Following 2 Users Say Thank You to billcouper81 For This Useful Post:
falko (18th March 2010), marinus (18th May 2010)
Sponsored Links
  #2  
Old 17th April 2010, 13:57
mastermind mastermind is offline
Junior Member
 
Join Date: Apr 2010
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default

In my standard install of RoundCube 0.3.1, the remote client host is not logged to 'logs/errors'. It says (for example):
Code:
[17-Apr-2010 13:52:36 +0200]: IMAP Error: Authentication for <username> failed (LOGIN): "a001 NO Authentication failed." (POST /?_task=&_action=login)
Instead of trying to find a way to amend the log format, I have found it sufficient to use the roundcube-fail2ban plugin (by Matt Rude).
Reply With Quote
  #3  
Old 19th August 2010, 16:49
wahid wahid is offline
Junior Member
 
Join Date: Aug 2010
Location: Hamburg, Germany
Posts: 22
Thanks: 2
Thanked 4 Times in 2 Posts
 
Thumbs up

For info: the roundcube-fail2ban plugin (by Matt Rude) works also out-of-th-box with Roundcube 0.4 Stable, fail2ban 0.8.3 under Debian Lenny.
Reply With Quote
The Following User Says Thank You to wahid For This Useful Post:
Ovidiu (19th April 2014)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Fedora 10 - Virtual Users And Domains With Postfix, Courier etc j.smith1981 Server Operation 6 17th February 2010 01:01
ISPConfig3 Mail Warn Errors reason8 General 3 25th November 2009 13:58
Mail server attack princebenin Server Operation 1 19th November 2007 14:02
Questions in regards to ISP-Server Setup - Ubuntu 5.10 "Breezy Badger" rbrantley HOWTO-Related Questions 16 10th April 2006 18:26


All times are GMT +2. The time now is 10:28.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.