Fail2ban doesn't work with roundcube

timwol · August 8, 2024, 4:17pm

Hi
I have fail2ban working properly with hestia, but doesn’t work with roundcube.

systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-08-08 15:47:16 CEST; 2h 14min ago
       Docs: man:fail2ban(1)
   Main PID: 1862334 (fail2ban-server)
      Tasks: 19 (limit: 19099)
     Memory: 14.3M
        CPU: 30.801s
     CGroup: /system.slice/fail2ban.service
             └─1862334 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

fail2ban-client status
Status
|- Number of jail:      8
`- Jail list:   dovecot-iptables, exim-iptables, hestia-iptables, phpmyadmin-auth, recidive, roundcube-auth, ssh-iptables, vsftpd-iptables

My file jail.local have the follow configuration:

[roundcube-auth]
enabled  = true
filter   = roundcube-auth
action   = hestia[name=WEB]
logpath  = /var/log/roundcube/errors.log
maxretry = 5

But I try to connect more than five times on Roundcube and it doesn’t ban my ip.

¿Do I have to modify anything?

sahsanu · August 8, 2024, 4:20pm

Hi @timwol,

Log path exists?

namei -mo /var/log/roundcube/errors.log

timwol · August 8, 2024, 4:25pm

Hi sahsanu

I put
namei -mo /var/log/roundcube/errors.log

it appears

f: /var/log/roundcube/errors.log
 drwxr-xr-x root       root       /
 drwxr-xr-x root       root       var
 drwxrwxr-x root       syslog     log
 drwxr-x--x hestiamail hestiamail roundcube
 -rw-r--r-- hestiamail www-data   errors.log

greetings

sahsanu · August 8, 2024, 4:37pm

fail2ban-client status roundcube-auth

Do you see your failed authentication attemps in file /var/log/roundcube/errors.log?

If you can’t see your attempts, show the output of this command:

grep -E 'config.*log_dir' /etc/roundcube/config.inc.php

timwol · August 8, 2024, 4:44pm

Hi sahsanu

I put fail2ban-client status roundcube-auth

it appears

Status for the jail: roundcube-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/roundcube/errors.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

greetings

sahsanu · August 8, 2024, 4:46pm

Now this

timwol · August 8, 2024, 4:58pm

Hi sahsanu

Yes
It appears

[08-Aug-2024 16:51:43 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 16:52:33 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 16:52:48 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)

I put
grep -E ‘config.*log_dir’ /etc/roundcube/config.inc.php

it appears

$config["log_dir"] = "/var/log/roundcube/";

greetings

sahsanu · August 8, 2024, 5:06pm

Ok, I see no problem.

Did you try only 3 times? Because you must try 5 times in 10 minutes.

Did you restart fail2ban?

systemctl restart fail2ban

sahsanu · August 8, 2024, 5:10pm

Also, did you add your ip to ignoreip directive?

grep -r '^ignoreip' /etc/fail2ban

timwol · August 8, 2024, 5:24pm

HI sahsanu

I only put 3 times but I tried more

[08-Aug-2024 17:11:24 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 17:11:49 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 17:12:02 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 17:12:31 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 17:12:47 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 17:13:27 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 17:13:42 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)

there aren’t the ip banead

Yes. I restared fail2ba.
I’m going to restart another time to double check

greetings

sahsanu · August 8, 2024, 5:33pm

Ok, I see the problem, seems you are accesing the webmail using a proxy so this is being added to the log (X-Forwarded-For: 192.145.38.206) but fail2ban regex used doesn’t know about that so it is not caching the failed logins.

The regex used is in this file: /etc/fail2ban/filter.d/roundcube-auth.conf

timwol · August 8, 2024, 5:37pm

Hi sahsanu

I’ve restarted first
after theat I’ve tried seveeral times to enter roundcube


[08-Aug-2024 17:27:51 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 17:28:05 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 17:28:21 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 17:28:56 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 17:29:08 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 17:29:26 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[08-Aug-2024 17:30:07 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)

and the Ip wasn’t banned

greetings

timwol · August 8, 2024, 5:49pm

Hi sahsanu

But then what do I have to do?
I use norvpn to browse like you say

and I have another problem that I would like to discuss other day.
When I use wireguard to connect with my server to browse, I use the ip of norvpn, if I’m connected with nordvpn, or my router if I am without nordvpn, but it does not catch me the one from my server that is what I would like it to catch.
You mention it in case the two things are related.

greetings

timwol · August 8, 2024, 5:54pm

Hi sahsanu

But then when I try to connect to my hestia, if the ban works. Why does it only fail me with roundcube?

greetings

sahsanu · August 8, 2024, 6:22pm

The regex should work in your case but it doesn’t and I don’t know the reason, I should review the current regex but I’m too lazy to do so.

I don’t understand what you mean. Regex used for roundube failed logins and regex used for hestia failed logins are two different ones.

Joncolby · August 8, 2024, 6:28pm

Is there a way to get Hestia to log why or what account is causing the fsil2ban ? It would help me troubleshoot what devices that are trying with old credentials.

timwol · August 8, 2024, 6:52pm

Hi sahsanu

What I meant is that when I fail 5 times to enter hestia, if I ban the ip, but with roundcube it does not happen to me.

Don’t bother. I don’t want you to spend any more time with me. Too much help you’re giving me

greetings

sahsanu · August 8, 2024, 6:55pm

That’s because regex are different and lines in log too.

If I’ve time I’ll take a look to the regex because it should work.

timwol · August 8, 2024, 6:59pm

Hi sahsanu

no worries
Thanks so much

greetings

jperkins · August 8, 2024, 7:04pm

I can confirm this . also the [dovecot-iptables] is failing to match

2024-08-08 13:58:47,568 fail2ban.filter [3966854]: INFO [dovecot-iptables] Ignore ::1 by ignoreself rule

also the logs say

against localhost

where the regex is looking for ‘from localhost’

but I agree the
X-Forwarded-For: is also an issue

so right now in hestia there is there any checking brute force password attempts on roundcube . Also noticed hestia install rouncube from source