Author Topic: RoundCube Fail2Ban Plugin  (Read 17182 times)

Offline mdr

  • Jr. Member
  • **
  • Posts: 12
RoundCube Fail2Ban Plugin
« on: July 09, 2009, 09:20:29 AM »
I have been asked to build a plugin to allow Fail2Ban logging output from Roundcube.  Last night I got around to doing it.

RoundCube Fail2Ban Plug in is a small plugin that will display failed login attempts to your syslog or userlogins log file. Using this information Fail2Ban be able to block a user for a set amount of time. The best part, the block is at the IP level and blocks the IP address, not the user they are try to log in as.

You should be able to just drop the top folder in your plugins director and add the entry to your main.php

RoundCube Fail2Ban Plugin

If you have any questions, let me know.
-Matt
« Last Edit: November 18, 2009, 09:07:25 PM by mdr »

Offline oldschool

  • Sr. Member
  • ****
  • Posts: 406
RoundCube Fail2Ban Plugin
« Reply #1 on: July 14, 2009, 02:29:16 PM »
Niiice, will have a try...


Thanx!

Offline JohnDoh

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2,845
RoundCube Fail2Ban Plugin
« Reply #2 on: July 15, 2009, 03:36:00 PM »
thanks for the plugin. please consider adding it to the Plugin_Repository
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and more…

Offline oldschool

  • Sr. Member
  • ****
  • Posts: 406
RoundCube Fail2Ban Plugin
« Reply #3 on: July 30, 2009, 02:28:15 PM »
I would like to inform you all it´s working great on Suse 11.1 after small modifications.

:-)



Rgds.

Offline mdr

  • Jr. Member
  • **
  • Posts: 12
RoundCube Fail2Ban Plugin
« Reply #4 on: August 02, 2009, 12:21:18 PM »
Great, it was built on Fedora, I'm glad it works under Suse. What modifications did you need to make?


JohnDoh, I have added it to the list, and I would like to thank you for the SpamAssassin User Prefs plugin.  I have been using it since before it was a plugin, and it has always been a great feature.
« Last Edit: August 02, 2009, 12:36:47 PM by mdr »

Offline oldschool

  • Sr. Member
  • ****
  • Posts: 406
RoundCube Fail2Ban Plugin
« Reply #5 on: August 02, 2009, 02:09:46 PM »
Hi!

The jail.conf needs little modifications...


Thanx!

Offline mdr

  • Jr. Member
  • **
  • Posts: 12
RoundCube Fail2Ban Plugin
« Reply #6 on: August 16, 2009, 10:20:24 PM »
oldschool, how did you need to modify the jail.conf file?

Offline jannol

  • Newbie
  • *
  • Posts: 1
RoundCube Fail2Ban Plugin
« Reply #7 on: August 22, 2009, 11:51:17 PM »
Very nice. Working just as it should I think, only thing is that when banned the login page just sits there trying to login forever pretty much.

Should it display some sort of message or something at login page?

I am using debian lenny and one little "special thingy" with my install is php-mdb2-driver-mysql_1.5.0b from backports to get mysql working with roundcube.

Offline oldschool

  • Sr. Member
  • ****
  • Posts: 406
RoundCube Fail2Ban Plugin
« Reply #8 on: August 24, 2009, 01:30:31 PM »
For me the jail looks like this on Opensuse 11.1:

--- schnipp ---
[roundcube]
# 0.3 and up plugin-support

enabled  = false
port      = http,https
filter     = roundcube
action   = iptables-multiport[name=roundcube, port=http,https]
           sendmail-whois[name=RC-Webmail, dest=root@weiss-du-doch.nett, sender=fail2ban]
logpath  = /srv/www/htdocs/webmail/logs/userlogins
--- schnapp ---


Rgds.

Offline Wake

  • Newbie
  • *
  • Posts: 2
RoundCube Fail2Ban Plugin
« Reply #9 on: August 26, 2009, 01:29:39 PM »
GOOD plugin

Offline mdr

  • Jr. Member
  • **
  • Posts: 12
RoundCube Fail2Ban Plugin
« Reply #10 on: September 19, 2009, 01:49:45 PM »
Quote from: jannol;20719
... only thing is that when banned the login page just sits there trying to login forever pretty much.

Should it display some sort of message or something at login page?


jannol, since the client is blocked at the IP level and not via RoundCube, the blocked user is no longer "talking" to your webserver so we can not show a message saying anything.  

If the blocked client were to do a refresh they should get a "Server not found" type message since the webserver will no longer respond to that clients IP address.

Offline mdr

  • Jr. Member
  • **
  • Posts: 12
RoundCube Fail2Ban Plugin
« Reply #11 on: September 19, 2009, 01:57:43 PM »
Quote from: oldschool;20757
For me the jail looks like this on Opensuse 11.1:

--- schnipp ---
[roundcube]
# 0.3 and up plugin-support

enabled  = false
port      = http,https
filter     = roundcube
action   = iptables-multiport[name=roundcube, port=http,https]
           sendmail-whois[name=RC-Webmail, dest=root@weiss-du-doch.nett, sender=fail2ban]
logpath  = /srv/www/htdocs/webmail/logs/userlogins
--- schnapp ---


Rgds.


Thanks oldschool, I have added your configuration to my how to for this plugin.

Offline oldschool

  • Sr. Member
  • ****
  • Posts: 406
RoundCube Fail2Ban Plugin
« Reply #12 on: September 20, 2009, 05:49:21 AM »
I just noticed it has to be "enabled = true"...
;-)


Rgds.

Offline ontnugtering

  • Jr. Member
  • **
  • Posts: 25
RoundCube Fail2Ban Plugin
« Reply #13 on: May 27, 2010, 09:27:25 AM »
I've got 2 Roundcube incarnations on a web hosters resource.
The one which triggers the localhosts IMAP does work.

The one which triggers another IMAP server on a different host does not work. The log\userlogins file gets entries, but I can do failures as many as I want, I'm not getting locked. Whats wrong? Of course RC plugin is active in the main config files array.

(rcdir\plugins\fail2ban\jail.conf)
Code: [Select]
[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
logpath  = /www/htdocs/blah/rc_sks/logs/errors
maxretry = 5
findtime = 300
bantime = 900

[roundcube-24hr]
enabled = true
port = http,https
filter = roundcube-24hr
logpath = /www/htdocs/blah/rc_sks/logs/fail2ban.log
maxretry = 10
findtime = 1800
bantime = 86400


(rcdir\plugins\fail2ban\filter.d\roundcube.conf)
Code: [Select]
[Definition]
failregex = IMAP Error: Authentication for .* \(\) failed \((?:LOGIN|AUTH)\):
ignoreregex =


Thanks!

Offline oldschool

  • Sr. Member
  • ****
  • Posts: 406
RoundCube Fail2Ban Plugin
« Reply #14 on: May 27, 2010, 11:53:03 AM »
Quote from: ontnugtering;27693
I've got 2 Roundcube incarnations on a web hosters resource.
The one which triggers the localhosts IMAP does work.

The one which triggers another IMAP server on a different host does not work. The log\userlogins file gets entries, but I can do failures as many as I want, I'm not getting locked. Whats wrong? Of course RC plugin is active in the main config files array.

(rcdir\plugins\fail2ban\jail.conf)
Code: [Select]
[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
logpath  = /www/htdocs/blah/rc_sks/logs/errors
maxretry = 5
findtime = 300
bantime = 900

[roundcube-24hr]
enabled = true
port = http,https
filter = roundcube-24hr
logpath = /www/htdocs/blah/rc_sks/logs/fail2ban.log
maxretry = 10
findtime = 1800
bantime = 86400

(rcdir\plugins\fail2ban\filter.d\roundcube.conf)
Code: [Select]
[Definition]
failregex = IMAP Error: Authentication for .* \(\) failed \((?:LOGIN|AUTH)\):
ignoreregex =

Thanks!

Hi!

Your prob could have many causes.

For me i noticed the iptable action is not working very well and i switched to the "route"-ban command.

In your case i would you to try out your "failregex filter".
Many OSes interpreting this different.


Have a nice day!



Rgds.
« Last Edit: December 06, 2010, 05:02:00 AM by oldschool »