[ErrorLog] Client IP Address

STiAT · July 25, 2008, 08:28:30 AM

Hi guys,

I've a little question:
I'm a bit concerned about brute force attacks by script kiddies. Therefore, I'd like to "lock" ip addresses if too many logins tries have been made by a certain ip address.

I'd like to do this with fail2ban. The problem here is, that roundcube does not save the ip of the client in the log.

I'd like to add this to the loggin and auth messages, and parse for those.
Is the client IP stored anywhere in the in example $conn object? Or will i have to read them manually out of the http environment of apache?

Of course, I'd need to check for
HTTP_X_FORWARDED_FOR and REMOTE_ADDR

Kind regards,
// STi

JSkywalker · July 25, 2008, 08:47:24 AM

but if someone DOES get access, and does not belong on your site, you should also block him, or not ?

so, i think, you need 2 things:
1) a decent way in roundcube to block a user after i.e. 3 wrong passwords.
2) your solution to block user-access to your site (using i.e. fail2ban)

STiAT · July 25, 2008, 09:38:11 AM

Well, exactly.
But first step would be fine to log correctly so i can block users by fail2ban, since not being able to connect to the site for e.g 5 minutes is quite enough to ensure him a long turn until he gets passwords cracked.

I have the same setup for imap, pop3, imaps and pop3s, and think it's a quite good solution.
Any script kiddie who can use autoit (in example) can do both, use a application to try cracking passwords and trying to log in on roundcube.

But indeed, I'd like to see a "lock user" function in roundcube, if too many bad logins have been made - what'd be rather a feature request. Maybe both are, but I think the first one (ip address to log) can be done easily. Hopefully it's standard one day for roundcube

.

Kind regards,
// STi

JSkywalker · July 25, 2008, 10:54:11 AM

but, a blocked user on IMAP, is a blocked user on Roundcube...

so, if imap is block after a few attempts, you should have reached what you want (informing the user that he/she is blocked is not needed for a script-kid

)

STiAT · July 25, 2008, 02:46:45 PM

Quote from: JSkywalker;13072but, a blocked user on IMAP, is a blocked user on Roundcube...

so, if imap is block after a few attempts, you should have reached what you want (informing the user that he/she is blocked is not needed for a script-kid )

True, but in this case false.
I can't block the IP address of the IMAP client connecting, since roundcube connects as "localhost". Therefore, the failed login attempt is from localhost - which I had to ignore, since I'd block the whole webmail on failed webmail login attempts.

That's why I need roundcube to log the IP of the user attempting to connect, to block http, https, and imap(s) / pop3(s).

Kind regards,
// STi

STiAT · July 25, 2008, 03:43:33 PM

For a fast information "how to get it working":

Code Select

vi program/lib/imap.inc
$conn->error    .= 'Authentication for ' . $user . ' (' . getenv(&quot;REMOTE_ADDR&quot;) . ') failed (LOGIN): &quot;';
$conn->error    .= 'Authentication for ' . $user . ' (' . getenv(&quot;REMOTE_ADDR&quot;) . ') failed (AUTH): &quot;';

in /etc/fail2ban/jail.conf (in my case)

Code Select

[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
action   = iptables-multiport[name=roundcube, port=http,https]
logpath  = /home/httpd/html/~roundcubemail/logs/errors

in /etc/fail2ban/filter.d/roundcube.conf

Code Select

[Definition]
failregex = IMAP Error: Authentication for .* \(\) failed \((?:LOGIN|AUTH)\):
ignoreregex =

Kind regards,
// STi

ddub · April 09, 2009, 09:47:47 AM

Hello STiAT,

Thanks for the tip!
It works perfectly, and should definitely be added to Roundcube code!

Regards.

mdr · August 19, 2009, 11:00:14 AM

Check out the RoundCube Fail2Ban Plugin also as a quick and easy way to do this.