Thread: RoundCube Fail2Ban Plugin

Originally Posted by oldschool

For me the jail looks like this on Opensuse 11.1:

--- schnipp ---
[roundcube]
# 0.3 and up plugin-support

enabled = false
port = http,https
filter = roundcube
action = iptables-multiport[name=roundcube, port="http,https"]
sendmail-whois[name=RC-Webmail, dest=root@weiss-du-doch.nett, sender=fail2ban]
logpath = /srv/www/htdocs/webmail/logs/userlogins
--- schnapp ---


Rgds.

Thanks oldschool, I have added your configuration to my how to for this plugin.

I've got 2 Roundcube incarnations on a web hosters resource.
The one which triggers the localhosts IMAP does work.

The one which triggers another IMAP server on a different host does not work. The log\userlogins file gets entries, but I can do failures as many as I want, I'm not getting locked. Whats wrong? Of course RC plugin is active in the main config files array.

(rcdir\plugins\fail2ban\jail.conf)

Code:

[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
logpath  = /www/htdocs/blah/rc_sks/logs/errors
maxretry = 5
findtime = 300
bantime = 900

[roundcube-24hr]
enabled = true
port = http,https
filter = roundcube-24hr
logpath = /www/htdocs/blah/rc_sks/logs/fail2ban.log
maxretry = 10
findtime = 1800
bantime = 86400

(rcdir\plugins\fail2ban\filter.d\roundcube.conf)

Code:

[Definition]
failregex = IMAP Error: Authentication for .* \(\) failed \((?:LOGIN|AUTH)\):
ignoreregex =

Thanks!

Originally Posted by ontnugtering

I've got 2 Roundcube incarnations on a web hosters resource.
The one which triggers the localhosts IMAP does work.

The one which triggers another IMAP server on a different host does not work. The log\userlogins file gets entries, but I can do failures as many as I want, I'm not getting locked. Whats wrong? Of course RC plugin is active in the main config files array.

(rcdir\plugins\fail2ban\jail.conf)

Code:

[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
logpath  = /www/htdocs/blah/rc_sks/logs/errors
maxretry = 5
findtime = 300
bantime = 900

[roundcube-24hr]
enabled = true
port = http,https
filter = roundcube-24hr
logpath = /www/htdocs/blah/rc_sks/logs/fail2ban.log
maxretry = 10
findtime = 1800
bantime = 86400

(rcdir\plugins\fail2ban\filter.d\roundcube.conf)

Code:

[Definition]
failregex = IMAP Error: Authentication for .* \(\) failed \((?:LOGIN|AUTH)\):
ignoreregex =

Thanks!

Hi!

Your prob could have many causes.

For me i noticed the iptable action is not working very well and i switched to the "route"-ban command.

In your case i would you to try out your "failregex filter".
Many OSes interpreting this different.


Have a nice day!



Rgds.

Update for Opensuse 11.1:

--- schnipp ---
[roundcube]
# 0.3 and up plugin-support

enabled = true
filter = roundcube
action = route
sendmail-whois[name=RC-Webmail, dest=root@weiss-du-doch.nett, sender=fail2ban]
logpath = /srv/www/htdocs/webmail/logs/userlogins
--- schnapp ---

The Route-Ban Action:

--- schnipp ---
# Fail2Ban configuration file
[Definition]
actionban = ip route add unreachable <ip>;
actionunban = ip route del unreachable <ip>;
--- schnapp ---

The IP-Table ban action makes probs.
So this route-action is more usefull for Opensuse.




Rgds.

Why don't you just set imap rules for fail2ban?

Originally Posted by qnrq

Why don't you just set imap rules for fail2ban?

If you asked me:
As stated above, got some probs with MY opensuse systems.
So i decided to use the route command...

And the effect is the same: the blackhead is banned!




Rgds.

I'm trying to get this to work on IIS is there a semi- preconfigured folder or zip file? I have tried all the jail.conf and all that diffrent stuff and can't seem to get it to work...

IIRC there is no version of fail2ban for windows, do you have fail2ban installed?

(fail2ban is a bit of secuirty software, its nothing to do with roundcube)

Ya its installed but i just don't have it setup properly. There are many diffrent config version floating around i don't know which one to use.