You probably have protected your dovecot, postfix, exim, dbmail, or any other port opening application that needs to be protected from bruit force and dictionary attacks.
But what about roundcube, the problem with roundcube is that you have to whitelist it (whether it is on the same server or a different server) so that it does not get blocked, so now you have another security issue, this way a hacker can bruit force your server even when fail2ban is monitoring all SMTP and IMAP and POP ports.
The solution to this is to actually protect RoundCube itself against bruit force.
Forget the apache logs, we don’t need to use those as roundcube will log failed attempts in it’s /logs/errors file, this file has something similar to the following line
IMAP Error: Login failed for aaa@bbb.com from xxx.xxx.xxx.xxx. AUTHENTICATE PLAIN: Authentication failed
You should also note that there is a certain roundcube config file in fail2ban, which i am not using because i like to make things as simple as possible but not too simple, the file that comes with fail2ban roundcube-auth.conf seems to account for older installations of roundcube, something i don’t really need.
Now, here is a step by step manual to protect roundcube (Or phpmyadmin or ispconfig or what have you) from bruit force attacks and dictionary attacks.
1- Make sure fail2ban is installed
apt-get install fail2ban
2- add the following two configuration file to fail2ban programs directory (/etc/fail2ban/filter.d/)
1- roundcube.conf
# Fail2Ban configuration file for roundcube webmail
#
# Author: Fabian Wenk
#
# $Revision$
#
# To have logging information available, it is necessary to adjusting
# the following option in config/main.inc.php from Roundcube:
#
# $rcmail_config['debug_level'] = 1; // not sure, probably not needed
# $rcmail_config['log_session'] = true;
#
# and point in the fail2ban jail config to the correct logfile,
# or change also the following config to log to syslog:
#
# $rcmail_config['log_driver'] = 'syslog';
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# first line is for Cyrus IMAP (2.4.x)
# second line is for Dovecot (2.1.x)
# Values: TEXT
#
#failregex = roundcube: IMAP Error: Login failed for .* from . AUTHENTICATE PLAIN: authentication failure in .*$
failregex = roundcube: IMAP Error: Login failed for .* from . AUTHENTICATE PLAIN: Authentication failed. in .*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
2- roundcube-repeat.conf, this rule inspects the fail2ban log file itself, and if there are repeated bans (repeated violations), imposes a bigger penalty
# roundcube configuration file
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
failregex = \[roundcube\] Ban
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
The above is how fail2ban will identify failed logins, now in the /etc/fail2ban/jail.local we need to tell fail2ban 1- Where to look for this rule, 2- what file to look for the logs in !
So, to activate the above, we need to add some rules in /etc/fail2ban/jail.conf
[roundcube]
enabled = true
port = http,https
filter = roundcube
logpath = /var/sys_ssl/rcmail/logs/errors
maxretry = 5
findtime = 600
bantime = 3600
[roundcube-repeat]
enabled = true
port = http,https
filter = roundcube-repeat
logpath = /var/log/fail2ban.log
maxretry = 3
findtime = 21600
bantime = 86400
Now, to the testing, mind you, if you test, you will be blocked, depending on how you test, you might get blocked for a whole day, so keep that in mind
For those of you on a recent cpanel installation, you should probably know that iptables are disabled by default in favor of firewalld, fail2ban will update the rules, but the rules will not work 😉