[ErrorLog] Client IP Address

**STiAT** · 07-25-2008 01:28 PM

Hi guys,

I've a little question:
I'm a bit concerned about brute force attacks by script kiddies. Therefore, I'd like to "lock" ip addresses if too many logins tries have been made by a certain ip address.

I'd like to do this with fail2ban. The problem here is, that roundcube does not save the ip of the client in the log.

I'd like to add this to the loggin and auth messages, and parse for those.
Is the client IP stored anywhere in the in example $conn object? Or will i have to read them manually out of the http environment of apache?

Of course, I'd need to check for
HTTP_X_FORWARDED_FOR and REMOTE_ADDR

Kind regards,
// STi

**JSkywalker** · 07-25-2008 01:47 PM

but if someone DOES get access, and does not belong on your site, you should also block him, or not ?

so, i think, you need 2 things:
1) a decent way in roundcube to block a user after i.e. 3 wrong passwords.
2) your solution to block user-access to your site (using i.e. fail2ban)

**STiAT** · 07-25-2008 02:38 PM

Well, exactly.
But first step would be fine to log correctly so i can block users by fail2ban, since not being able to connect to the site for e.g 5 minutes is quite enough to ensure him a long turn until he gets passwords cracked.

I have the same setup for imap, pop3, imaps and pop3s, and think it's a quite good solution.
Any script kiddie who can use autoit (in example) can do both, use a application to try cracking passwords and trying to log in on roundcube.

But indeed, I'd like to see a "lock user" function in roundcube, if too many bad logins have been made - what'd be rather a feature request. Maybe both are, but I think the first one (ip address to log) can be done easily. Hopefully it's standard one day for roundcube

.

Kind regards,
// STi

**JSkywalker** · 07-25-2008 03:54 PM

but, a blocked user on IMAP, is a blocked user on Roundcube...

so, if imap is block after a few attempts, you should have reached what you want (informing the user that he/she is blocked is not needed for a script-kid

)

**STiAT** · 07-25-2008 07:46 PM

Originally Posted by JSkywalker

but, a blocked user on IMAP, is a blocked user on Roundcube...

so, if imap is block after a few attempts, you should have reached what you want (informing the user that he/she is blocked is not needed for a script-kid

)

True, but in this case false.
I can't block the IP address of the IMAP client connecting, since roundcube connects as "localhost". Therefore, the failed login attempt is from localhost - which I had to ignore, since I'd block the whole webmail on failed webmail login attempts.

That's why I need roundcube to log the IP of the user attempting to connect, to block http, https, and imap(s) / pop3(s).

Kind regards,
// STi

**STiAT** · 07-25-2008 08:43 PM

For a fast information "how to get it working":

Code:

vi program/lib/imap.inc
$conn->error    .= 'Authentication for ' . $user . ' (' . getenv("REMOTE_ADDR") . ') failed (LOGIN): "';
$conn->error    .= 'Authentication for ' . $user . ' (' . getenv("REMOTE_ADDR") . ') failed (AUTH): "';

in /etc/fail2ban/jail.conf (in my case)

Code:

[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
action   = iptables-multiport[name=roundcube, port="http,https"]
logpath  = /home/httpd/html/~roundcubemail/logs/errors

in /etc/fail2ban/filter.d/roundcube.conf

Code:

[Definition]
failregex = IMAP Error: Authentication for .* \(<HOST>\) failed \((?:LOGIN|AUTH)\):
ignoreregex =

Kind regards,
// STi

**ddub** · 04-09-2009 02:47 PM

Hello STiAT,

Thanks for the tip!
It works perfectly, and should definitely be added to Roundcube code!

Regards.

**mdr** · 08-19-2009 04:00 PM

Check out the RoundCube Fail2Ban Plugin also as a quick and easy way to do this.

Thread: [ErrorLog] Client IP Address

LinkBack

Thread Tools

Display

[ErrorLog] Client IP Address

RoundCube Fail2Ban Plugin

LinkBacks (?)

RoundCube Fail2Ban Plugin – Matt Rude

Thread Information

Users Browsing this Thread

Posting Permissions