Please correct me if I am mistaken:
first off fail2ban is disabled for roundcube upon installation
so you need to change the enabled from false to true in /etc/fail2ban/jail.local
second the regex is not working
I found an old regex from here that works although it is simple
so I edited /etc/fail2ban/filter.d/roundcube-auth.conf
and replaced this line
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
with this line failregex = ^Login failed for .* from <HOST>\..*$
then restart fail2ban.
and then upon a bad login in roundcube this line was generated in /var/log/fail2ban.log
2024-08-09 03:45:45,316 fail2ban.filter [4099569]: INFO [roundcube-auth] Found <redacted+ip> - 2024-08-09 03:45:45
just a side note the logging change from from/against happened in 2017. seems like a long time for fail2ban not to catch this
Opened a bug report on this
and wondered, if roundcube wasnt installed from source and used the package from debian/ubuntu would this issue have came up. What advantages due we gain from using the source package except maybe the version is kept stable until hestia determines roundcube should be updated. in other words an ‘apt update’ isnt going to update roundcube
That won’t work with the op log entry because there isn’t a dot after the host ip:
[08-Aug-2024 17:27:51 +0000]: <tgesrk97> IMAP Error: Login failed for [email protected] against localhost from 192.145.38.206 (X-Forwarded-For: 192.145.38.206). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
This regex should work for both cases:
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> against .* from <HOST>.+in \S+\.php on line \d+ \(\S+ \S+\)?$
Technically it doesn’t matter whether it is from or against because <F-USER>.*</F-USER> catches both cases with from or against. It is true that it extracts incorrectly the user but in this case doesn’t matter.
For this case doesn’t matter wheter roundcube is installed directly from source or using OS packages. Here the problem is the roundcube-auth filter used in OS package fail2ban.
Thanks for the reply and the clearing up the from/against. I can see why you would say the dot wouldnt work in the regex. but it does appear to be working.
roundcube error log [09-Aug-2024 10:43:46 +0000]: <5gs7d189> IMAP Error: Login failed for baduser against localhost from MYIP (X-Forwarded-For: MYIP). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
fail2ban log 2024-08-09 05:43:46,063 fail2ban.filter [4099569]: INFO [roundcube-auth] Found MYIP - 2024-08-09 05:43:46
roundcube-auth.conf
root@seeerveeer:~/hestia/conf# cat /etc/fail2ban/filter.d/roundcube-auth.conf
# Fail2Ban configuration file for roundcube web server
#
# By default failed logins are printed to 'errors'. The first regex matches those
# The second regex matches those printed to 'userlogins'
# The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php
#
# The logpath in your jail can be updated to userlogins if you wish
#
[INCLUDES]
before = common.conf
[Definition]
prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$
#failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
failregex = ^Login failed for .* from <HOST>\..*$
^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
ignoreregex = Could not connect to .* Connection refused
journalmatch = SYSLOG_IDENTIFIER=roundcube
# DEV Notes:
#
# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
#
# Part after <HOST> comes straight from IMAP server up until the " in ....."
# Earlier versions didn't log the IMAP response hence optional.
#
# DoS resistance:
#
# Assume that the user can inject "from <HOST>" into the imap response
# somehow. Write test cases around this to ensure that the combination of
# arbitrary user input and IMAP response doesn't inject the wrong IP for
# fail2ban
#
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens
but then I edit the file roundcube-auth.conf an replace the line?
[quote=“jperkins, post:21, topic:15424”]
so I edited /etc/fail2ban/filter.d/roundcube-auth.conf
and replaced this line
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
with this line
failregex = ^(?:FAILED login|Login failed) for . against . from .+in \S+.php on line \d+ (\S+ \S+)?$
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
Yes but the second line must stay there, change only the failregex line, should look like this:
[INCLUDES]
before = common.conf
[Definition]
prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> against .* from <HOST>.+in \S+\.php on line \d+ \(\S+ \S+\)?$
^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
ignoreregex = Could not connect to .* Connection refused
journalmatch = SYSLOG_IDENTIFIER=roundcube
[INCLUDES]
before = common.conf
[Definition]
prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
ignoreregex = Could not connect to .* Connection refused
journalmatch = SYSLOG_IDENTIFIER=roundcube
after that I’ve put
systemctl restart fail2ban
and the results
[09-Aug-2024 12:37:32 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 12:37:50 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 12:38:04 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 12:38:36 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 12:38:52 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 12:39:10 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 12:40:46 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
On more thing.
The hour isn’t correct. The curretly hour in spain is 14:57 Pm, but in the result is diferent.
It’ something rare.
[09-Aug-2024 12:37:32 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 12:37:50 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 12:38:04 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 12:38:36 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 12:38:52 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 12:39:10 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
[09-Aug-2024 12:40:46 +0000]: <4ss5i6nf> IMAP Error: Login failed for [email protected] against localhost from 77.243.86.16 (X-Forwarded-For: 77.243.86.16). AUTHENTICATE PLAIN: Authentication failed. in /var/lib/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)
That’s because you didn’t configure date.timezone directive in php so it is using UTC instead of CEST. If you want to modify it, edit the php.ini for your php version, for example, for php 8.2, edit this file /etc/php/8.2/fpm/php.ini and replace this:
;date.timezone =
by this:
date.timezone = Europe/Madrid
Once done restart the php-fpm service for your php version, example with 8.2:
systemctl restart php8.2-fpm
And now you will see the right date/time in the logs.
[INCLUDES]
before = common.conf
[Definition]
prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> against .* from <HOST>.+in \S+\.php on line \d+ \(\S+ \S+\)?$
^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
ignoreregex = Could not connect to .* Connection refused
journalmatch = SYSLOG_IDENTIFIER=roundcube
