Roundcubemail and Fail2Ban

T

his tutorial works for CentOS only. For your specific OS tutorial use the tags or serach function in the sidebar area.

 

Warning! Roundcube 1.0+

This fail2ban plugin for Roundcube seems to not work with recent Roundcube version 1.0+, details below...

The task is to create a jail and filter for Fail2Ban to monitor unsuccessfull logins into Roundcube. First step is to download a fail2ban plugin for RounCube by Matt Rude from his website, this plugin creates a 'userlogin' file which fail2ban will be watching.

Download plugin
$ wget https://github.com/downloads/mattrude/rc-plugin-fail2ban/roundcube-fail2ban-plugin.1.1.zip

Extract zip
$ unzip roundcube-fail2ban-plugin.1.1.zip

Move the directory to roundcube
$ mv mattrude-rc-plugin-fail2ban-dcb35fd /var/www/html/roundcubemail/plugins/fail2ban/

 

RoundCube configuration

$ nano /var/www/html/roundcubemail/config/main.inc.php

Search for line:

$rcmail_config['plugins'] = array();
and change it to:
$rcmail_config['plugins'] = array('fail2ban');
 

Save and exit.

Now, make sure if roundcubemail directory is owned by the same user apache is.


From our previous tutorials apache runs under 'jtkirk' user, let's see

[root@server][~]
$ cd /var/www/html

[root@server][/var/www/html]
$ ls -l
total 12
drwxr-xr-x 3 jtkirk jtkirk 4096 Aug 13 05:22 domains
-rw-r--r-- 1 root root 20 Aug 9 10:33 info.php
drwxr-xr-x 11 apache apache 4096 Aug 1 12:51 roundcubemail
 

ups, it's not - so change the owner

and then

$ cat roundcubemail/logs/userlogins

[root@server][/var/www/html]
$ cat roundcubemail/logs/userlogins
[19-Aug-2013 07:39:14 -0400]: FAILED login for test from xx.xx.xx.xx
 

Fail2Ban Setup

Add jail to /etc/fail2ban/jail.conf

$ nano /etc/fail2ban/jail.conf

and paste this code:

[roundcube]
enabled = true
port = http,https
filter = roundcube
action = iptables-multiport[name=roundcube, port="http,https"]
sendmail-whois[name=RC-Webmail, dest=you@example.com]
logpath = /var/www/html/roundcubemail/logs/userlogins
maxretry = 6
findtime = 1200
bantime = 17200
Adjust mail address, values and save, exit.

And also add a filter:

$ nano /etc/fail2ban/filter.d/roundcube.conf

and paste this code:

[Definition]
failregex = FAILED login for .*. from
ignoreregex =
 

Save and exit.
Restart fail2ban.

$ service firewall restart && service fail2ban restart

Check doing some fail login attempts.

 

Roundcube 1.0 and the normal way

This plugin seems to not work with new version of roundcube giving headers already sent errors, but this version of rouncube logs correctly failed login attempts to "/logs/errors" file.

So, we don't need the plugin anymore .. only correct fail2ban regex:

here's one 

failregex = .*. Login failed for .*. from . AUTHENTICATE PLAIN: Authentication failed *
 

so you have to change jail logpath accordingly

logpath = /var/www/html/roundcubemail/logs/errors