Easy RoundCube (Over SSL) And Webmin With fail2ban For ISPConfig 3 On Debian Squeeze

Author: Thomas (http://iopen.gr)
Last edited: 2011-03-09

I prefer the RoundCube solution over the default in ISPConfig 3. I also find it useful to have the webmin installed in all my systems. In this post you can see a very fast way to have both of them installed, in companion with the great support of fail2ban. Finally I want to access all of them over SSL (even phpmyadmin -- see the tip in the end).

I assume that you have followed falko's guide:

The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3]

If you want to access ISPConfig Panel and webmail through SSL I also assume that you followed the chapter 6.2 Enabling SSL For The ISPConfig Web Interface of The ISPConfig 3 manual  or this post (this is only needed if you want to access the control panel AND the webmail interface through ssl on port 8080).

If you followed the above (and chapter 6.3 -- enabling SuExec), then I finally assume that you read the workaround in this post.

 

Webmin

Download the latest webmin from http://www.webmin.com/download.html...

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb

... and install it:

dpkg -i webmin_1.530_all.deb

 

RoundCube

If you don't want Squirrelmail remove it...

apt-get remove squirrelmail

... and delete the file /etc/apache2/conf.d/squirrelmail.conf:

rm /etc/apache2/conf.d/squirrelmail.conf

OR if you want it edit the /etc/apache2/conf.d/squirrelmail.conf and change the alias to something like 'webmail1'.

Install RoundCube (you MUST have the mysql administrator's password before you proceed) :

apt-get install roundcube roundcube-mysql

You will be asked some questions about the password of the db administrator and the new user for roundcube and his database (and the password). Answer those questions and continue. If something goes wrong you can always run:

dpkg-reconfigure roundcube-core

For more information, please see this post.

For everyone to be able to access his webmail (under his domain name) you have to create or edit the file /etc/apache2/conf.d/roundcube.conf so as to set the alias to 'webmail'. If you want SSL you should include the last two directives to have Apache ALWAYS redirect to your ssl installation of ISPConfig 3.

# Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
# Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
Alias /webmail /var/lib/roundcube
Alias /roundcube /var/lib/roundcube

# Access to tinymce files
<Directory "/usr/share/tinymce/www/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
</Directory>

<Directory /var/lib/roundcube/>
Options +FollowSymLinks
# This is needed to parse /var/lib/roundcube/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>

# Protecting basic directories:
<Directory /var/lib/roundcube/config>
Options -FollowSymLinks
AllowOverride None
</Directory>

<Directory /var/lib/roundcube/temp>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>

<Directory /var/lib/roundcube/logs>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>




<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
<Location /webmail>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}:8080%{REQUEST_URI} [L]

</Location>
</IfModule>
</IfModule>

<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
<Location /roundcube>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}:8080%{REQUEST_URI} [L]
</Location>
</IfModule>
</IfModule>

Edit /var/lib/roundcube/config/main.inc.php and EDIT some variables in the file:

auto_create_user = TRUE;
$rcmail_config['default_host'] = 'localhost';

If you want to install the following plugin (the logger that helps fail2ban) you have to extend the list of plugins in the same file. If the only plugin is the one that will be istalled right afterward you have to edit the line as below:

$rcmail_config['plugins'] = array('fail2ban'); 

Install the roundcube logger plugin form http://mattrude.com/projects/roundcube-fail2ban-plugin/.

Basically you have to download the above file (fail2ban.php) and paste it in the fail2ban folder in the plugins folder of roundcube: /usr/share/roundcube/plugins/fail2ban/fail2ban.php

This plugin will first create and then update the log file with each login attempt: /var/log/roundcube/userlogins

 

Fail2ban

Extend the jail.local file that Falko suggests in The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3]: /etc/fail2ban/jail.local

You have to paste:

[roundcube]
enabled  = true
port     = http,8080
filter   = roundcube
logpath  = /var/log/roundcube/userlogins
maxretry = 5
[webmin-auth]
enabled = true
port    = 10000
filter  = webmin-auth
logpath  = /var/log/auth.log
maxretry = 3 

The 8080 port in roundcube is only needed if you enabled the redirection to https.

Last (and very important) don't forget to create the roundcube.conf file /etc/fail2ban/filter.d/roundcube.conf with the contents below:

[Definition]
failregex = FAILED login for .*. from <host>
ignoreregex =

Lucky us the webmin-auth filter is already done for us by the fail2ban guys. Restart fail2ban:

/etc/init.d/fail2ban restart

 

phpMyAdmin (SSL Tip)

If you want to access phpMyAdmin over ssl, you can apply the same tip as with RoundCube. Edit the file /etc/apache2/conf.d/phpmyadmin.conf and paste the following lines at the end of the file:

<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
<Location /phpmyadmin>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}:8080%{REQUEST_URI} [L]
</Location>
</IfModule>
</IfModule>

After this, restart Apache:

/etc/init.d/apache2 restart
Share this page:

3 Comment(s)