Please correct me if I am mistaken:
first off fail2ban is disabled for roundcube upon installation
so you need to change the enabled from false to true in /etc/fail2ban/jail.local
second the regex is not working
I found an old regex from here that works although it is simple
so I edited /etc/fail2ban/filter.d/roundcube-auth.conf
and replaced this line
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
with this line
failregex = ^Login failed for .* from <HOST>\..*$
then restart fail2ban.
and then upon a bad login in roundcube this line was generated in /var/log/fail2ban.log
2024-08-09 03:45:45,316 fail2ban.filter [4099569]: INFO [roundcube-auth] Found <redacted+ip> - 2024-08-09 03:45:45
just a side note the logging change from from/against happened in 2017. seems like a long time for fail2ban not to catch this
Opened a bug report on this
and wondered, if roundcube wasnt installed from source and used the package from debian/ubuntu would this issue have came up. What advantages due we gain from using the source package except maybe the version is kept stable until hestia determines roundcube should be updated. in other words an ‘apt update’ isnt going to update roundcube