Well, exactly.
But first step would be fine to log correctly so i can block users by fail2ban, since not being able to connect to the site for e.g 5 minutes is quite enough to ensure him a long turn until he gets passwords cracked.
I have the same setup for imap, pop3, imaps and pop3s, and think it's a quite good solution.
Any script kiddie who can use autoit (in example) can do both, use a application to try cracking passwords and trying to log in on roundcube.
But indeed, I'd like to see a "lock user" function in roundcube, if too many bad logins have been made - what'd be rather a feature request. Maybe both are, but I think the first one (ip address to log) can be done easily. Hopefully it's standard one day for roundcube
.
Kind regards,
// STi