Author Topic: [Solved] Roundcube & fail2ban  (Read 21256 times)

Offline kaliayev

  • Newbie
  • *
  • Posts: 6
[Solved] Roundcube & fail2ban
« on: July 10, 2012, 10:24:10 PM »
Hi there,

I want fail2ban to prevent too many login attempts from attackers.
I'm using Debian 6.0.5, roundcube 0.7.1 from backports and fail2ban 0.8.4(-3).
I know that there is a fail2ban roundcube plugin, and I know it's mainly useless since roundcube can log (from 0.2 or 0.3) failed auth. attempts (as well as successful ones, but that's out of subject).

When unsuccessful logins are made against my roundcube install., I get these logs in /var/log/user/log:

Code: [Select]
/var/log/user.log:Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)

In want fail2ban to take actions against these logs.

I have this rule in /etc/fail2ban/jail.local :

Code: [Select]
[roundcube]

enabled  = true
port     = http,https
filter   = roundcube-local
logpath  = /var/log/user.log
maxretry = 3

And I tried these regexp in /etc/fail2ban/filter.d/roundcube-local.conf :

Code: [Select]
failregex = roundcube: IMAP Error: Login failed for .* from <HOST>
Code: [Select]
failregex = roundcube: IMAP Error: Login failed for .* from <HOST>.*$
Code: [Select]
failregex = roundcube: IMAP Error: Login failed for .* from <HOST>.*

The main problem is that I'm a lame with regexp. So I could find the correct example by googling, but they always seem to refer to very old versions of roundcube or match again the fail2ban roundcube plugin, and it seems that the logs changed again and again in the meantime.

Any clue, someone?

Help will be warmly welcomed.

Thanks for reading :)

« Last Edit: July 17, 2012, 08:53:27 PM by SKaero »

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: Roundcube & fail2ban
« Reply #1 on: July 10, 2012, 11:53:33 PM »
I'm not great at regex and i've assumed that its like standard regex in PHP, if thats the case then this should work:
Code: [Select]
roundcube: IMAP Error: Login failed for (.*?) from (.*?).

Offline kaliayev

  • Newbie
  • *
  • Posts: 6
Re: Roundcube & fail2ban
« Reply #2 on: July 12, 2012, 07:39:07 PM »
SKaero,

Thanks a lot for your reply and tentative to solve this.

Quote
I'm not great at regex and i've assumed that its like standard regex in PHP, if thats the case then this should work:
roundcube: IMAP Error: Login failed for (.*?) from (.*?).

Unfortunately it won't. I don't know about (.*?) (thought it _seems_ that only .* or (.*) would be valid) but fail2ban builtin regexps read:
Quote
#          The host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

So (.*?) won't do it when fail2ban will need to know what exaclty is the "host"'s IP address.

I believe that the roundcube forum is not the right place for this question, and that fail2ban ML may be more appropriate.
I'll be happy to post the solution here as soon as I (hopefully) get it.

Stay tuned and thanks again for your support, that is greatly appreciated :)

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: Roundcube & fail2ban
« Reply #3 on: July 12, 2012, 10:45:18 PM »
I see, then they aren't using standard PHP regex. At least I tried, good luck finning a correct answer.

Offline kaliayev

  • Newbie
  • *
  • Posts: 6
Re: Roundcube & fail2ban
« Reply #4 on: July 13, 2012, 08:36:09 PM »
Hello to everyone who may be interested into this subject  (ie: having Fail2Ban protect _recent_ versions of RoundCube) ;)

I found the solution by myself... Carefully digging into the documentation always help :)
Note that my config. files mainly relate to Debian (6) so your setup may vary.
The failing logging attemps lines logged by roundcube may also vary, in which case my post won't be that useful to you. But I believe that these lines are pretty consistent for _recent_ versions of roundcube (and that they hopefully won't change AGAIN)

So far I was always trying a new regexp for my /etc/fail2ban/filter.d/roundcube-local.conf, reloading fail2ban, and passing bad login/pass to roundcube until the connection attempts limit I set was reached. Not that handy, since after the 6th or 7th regexp, you don't really remember what you already tried...

So here's the thing:
In your filter, you can define multiple regexp:

Code: [Select]
failregex = regexp1
                  regexp2
                  regexp3
                  AndSoOn

Then you can run fail2ban-regex like this:
fail2ban-regex /your/log /your/filter

Which, in my case, would give something like this:

Code: [Select]
fail2ban-regex /var/log/user.log /etc/fail2ban/filter.d/roundcube-local.conf

That will give you the regexp that matches. Once you know it, you can edit again your filter to keep only this one.

Now, if (like I believe) recent versions of RoundCube (ie 0.7 for sure and probably all versions >= 0.5) all log the same kind of message, you dont have to go through all that hassle. Here is the correct regexp to fill in:

Code: [Select]
failregex = roundcube: IMAP Error: Login failed for .* from <HOST>\..*$

Of course if your roundcube doesn't access clear text IMAP (but IMAPS or POP(S), even if I believe that this last option is not possible), you may want to replace it with:

Code: [Select]
roundcube: .* Error: Login failed for .* from <HOST>\..*$

(Note that I have not tested this).

Hope this helps :)

SKaero, thanks again for your help :)

Cheers.

Offline oldschool

  • Sr. Member
  • ****
  • Posts: 406
Re: Roundcube & fail2ban
« Reply #5 on: July 14, 2012, 11:26:09 PM »
(Note that I have not tested this).

:o


Rgds.

Offline kaliayev

  • Newbie
  • *
  • Posts: 6
Re: Roundcube & fail2ban
« Reply #6 on: July 17, 2012, 02:30:44 PM »
Quote
:o

... I'm not really sure of what you meant... Any real sentence, perhaps?

Offline oldschool

  • Sr. Member
  • ****
  • Posts: 406
Re: Roundcube & fail2ban
« Reply #7 on: July 17, 2012, 07:05:34 PM »
Quote
:o

... I'm not really sure of what you meant... Any real sentence, perhaps?

Big respect. Nice post.
After reading it a second time i understand your meaning.
Sorry of.


Rgds.

Offline kaliayev

  • Newbie
  • *
  • Posts: 6
Re: Roundcube & fail2ban
« Reply #8 on: July 17, 2012, 08:18:16 PM »
Quote
Big respect. Nice post.

Thank you. Actually I updated this post because it seems that no fail2ban-for-roundcube info is available digging the web, appart from the plugin, which is certainly a nice add (thanks to the dev.) but some kind of overkill since RoundCube is now (or for some time) able to log all kind of successful or failing logins.

Quote
Sorry of.

No problem. I felt insulted at first, since my own problem was fixed and I just wanted to help the community.
While I believe, that the first regexp will help in the vast majority of case, the other can still be useful.
... I won't test it, since my own pb is solved, but it's a 3 minutes hassle for anyone having a different setup (and it will surely match).

BTW, any way to edit this post tiltle with something like [solved], so that anyone intersted into this will know that there is a solution available?
My 0,02$.

Thanks and regards :)




Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: [Solved] Roundcube & fail2ban
« Reply #9 on: July 17, 2012, 08:54:19 PM »
BTW, any way to edit this post tiltle with something like [solved], so that anyone intersted into this will know that there is a solution available?
My 0,02$.
I've updated the topics title.

Offline kaliayev

  • Newbie
  • *
  • Posts: 6
Re: [Solved] Roundcube & fail2ban
« Reply #10 on: July 18, 2012, 07:54:55 PM »
Quote
I've updated the topics title.

Great :).
Thank you SKaero.