Have fail2ban monitor Roundcube authentication access errors

Discussion in 'Server Operation' started by billcouper81, Mar 17, 2010.

  1. billcouper81

    billcouper81 New Member

    I was searching on the net how I could use fail2ban for Roundcube webmail and I found many posts that had bits and pieces of information, but nothing complete... this works with the base installation of roundcube without any plugins

    I have this setup with roundcube 0.3.1 and it works fine

    Firstly, any IP that has 5 failed connection attempts within 10 minutes will get a 1 hour ban.... repeat offenders (2x 1hr bans within a 6hr period) will be banned for 24 hours...

    adjust the roundcube log file path depending on your installation setup

    add this to /etc/fail2ban/jail.conf:
    enabled  = true
    port     = http,https
    filter   = roundcube
    logpath  = /usr/local/roundcube/logs/errors
    maxretry = 5
    findtime = 600
    bantime = 3600
    enabled = true
    port = http,https
    filter = roundcube-24hr
    logpath = /var/log/fail2ban.log
    maxretry = 2
    findtime = 21600
    bantime = 86400

    create new file /etc/fail2ban/filter.d/roundcube.conf
    failregex = IMAP Error: Authentication for .* \(<HOST>\) failed \((?:LOGIN|AUTH)\):
    ignoreregex =

    create new file /etc/fail2ban/filter.d/roundcube-24hr.conf
    failregex = \[roundcube\] Ban <HOST>
    ignoreregex =
    you can use the setup style of the 24hr rule above to have cascading bans that increase in length the more repeats are made.. not just for roundcube obviously, but for anything fail2ban is monitoring...
  2. mastermind

    mastermind New Member

    In my standard install of RoundCube 0.3.1, the remote client host is not logged to 'logs/errors'. It says (for example):
    [17-Apr-2010 13:52:36 +0200]: IMAP Error: Authentication for <username> failed (LOGIN): "a001 NO Authentication failed." (POST /?_task=&_action=login)
    Instead of trying to find a way to amend the log format, I have found it sufficient to use the roundcube-fail2ban plugin (by Matt Rude).
  3. wahid

    wahid New Member

    For info: the roundcube-fail2ban plugin (by Matt Rude) works also out-of-th-box with Roundcube 0.4 Stable, fail2ban 0.8.3 under Debian Lenny.
  4. Leon Van Zyl

    Leon Van Zyl New Member

    Your regex roundcube-24hr.conf should rather match the Unban Notice in the log , as the repeat offender will be unbanned for the last offence after(thus override) the 24 hour ban action.

Share This Page