In order for Fail2Ban to be able to ban IP addresses from computers trying to break into RoundCube. RoundCube needs to write the IP address of the offending system in it’s logs. To accomplish this, run the following patch from the root of your RoundCube directory, or modify the program/lib/imap.inc file directly.
program/lib/imap.inc
Index: program/lib/imap.inc
============================================================
--- program/lib/imap.inc (revision 2446)
+++ program/lib/imap.inc (working copy)
@@ -428,7 +428,7 @@
<br />
if ($result == -3) fclose($conn->fp); // BYE response
<br />
- $conn->error .= 'Authentication for ' . $user . ' failed (AUTH): "';
+ $conn->error .= 'Authentication for ' . $user . ' (' . getenv("REMOTE_ADDR") . ') failed (AUTH): "';
$conn->error .= htmlspecialchars($line) . '"';
$conn->errorNum = $result;
Once you have RoundCube patched, you may use the below config and filter in Fail2Ban to block the IP address from RoundCube’s logs.
/etc/fail2ban/jail.conf:
[roundcube] enabled = true port = http,https filter = roundcube action = iptables-multiport[name=roundcube, port="http,https"] logpath = /var/logs/httpd/errors
/etc/fail2ban/filter.d/roundcube.conf:
[Definition] failregex = IMAP Error: Authentication for .* (<HOST≶) failed ((?:LOGIN|AUTH)): ignoreregex =
Interesting “add on”, and also probably useful for people with larger installations. I was wondering if instead editing “core files”, you could re-write this with a plugin hook, e.g. “login_failed”.
More info here:
http://trac.roundcube.net/wiki/Doc_Plugins
http://trac.roundcube.net/wiki/Plugin_Hooks
HTH,
Till
Check out http://mattrude.com/projects/roundcube-fail2ban-plugin/ it’s a quick plugin I wrote to do exactly that.
-matt
It’s a big contribution!
Only a little correction: is REMOTE_ADDR and not REMOTE_ADR like you wrote.
Sorry for my English!
Thanks for cache that! I had it correct in the plugin, but must have typoed the post.