fail2ban/config/filter.d/roundcube-auth.conf

# Fail2Ban configuration file for roundcube web server
#
# By default failed logins are printed to 'errors'. The first regex matches those
# The second regex matches those printed to 'userlogins'
#   The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php
#
# The logpath in your jail can be updated to userlogins if you wish
#

[INCLUDES]

before = common.conf

[Definition]

prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$

failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
            ^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$

ignoreregex = 

journalmatch = SYSLOG_IDENTIFIER=roundcube

# DEV Notes:
#
# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
#
# Part after <HOST> comes straight from IMAP server up until the " in ....."
# Earlier versions didn't log the IMAP response hence optional.
#
# DoS resistance:
#
# Assume that the user can inject "from <HOST>" into the imap response
# somehow. Write test cases around this to ensure that the combination of
# arbitrary user input and IMAP response doesn't inject the wrong IP for
# fail2ban
#
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens
NF: roundcube-auth filter (to close Debian #699442, needing debian/jail.conf section) 2013-01-31 19:39:59 +00:00			`# Fail2Ban configuration file for roundcube web server`
			`#`
Update regex to work with roundcube 1.0.5 on CentOS 6 2015-04-30 18:09:20 +00:00			`# By default failed logins are printed to 'errors'. The first regex matches those`
			`# The second regex matches those printed to 'userlogins'`
			`# The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php`
NF: roundcube-auth filter (to close Debian #699442, needing debian/jail.conf section) 2013-01-31 19:39:59 +00:00			`#`
Update regex to work with roundcube 1.0.5 on CentOS 6 2015-04-30 18:09:20 +00:00			`# The logpath in your jail can be updated to userlogins if you wish`
NF: roundcube-auth filter (to close Debian #699442, needing debian/jail.conf section) 2013-01-31 19:39:59 +00:00			`#`

ENH: anchor roundcube-auth at the beginning as well 2013-07-09 16:48:12 +00:00			`[INCLUDES]`

			`before = common.conf`

NF: roundcube-auth filter (to close Debian #699442, needing debian/jail.conf section) 2013-01-31 19:39:59 +00:00			`[Definition]`

filter.d/roundcube-auth.conf: Use the same filter-file and jail also when logging errors to journal instead to a local file. Additionally fixes more complex injections on username. 2017-06-19 16:05:29 +00:00			`prefregex = ^\s(\[\])?(%(__hostname)s\s(?:roundcube(?:\[(\d)\])?:)?\s(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$`

filter.d/roundcube-auth.conf: fixes failregex not working with `X-Real-IP` or/and `X-Forwarded-For` (gh-1303) 2017-07-11 12:59:24 +00:00			`failregex = ^(?:FAILED login\|Login failed) for <F-USER>.</F-USER> from <HOST>(?:(?:\([^\)]\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$`
filter.d/roundcube-auth.conf: Use the same filter-file and jail also when logging errors to journal instead to a local file. Additionally fixes more complex injections on username. 2017-06-19 16:05:29 +00:00			`^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$`
NF: roundcube-auth filter (to close Debian #699442, needing debian/jail.conf section) 2013-01-31 19:39:59 +00:00
			`ignoreregex =`
filter.d/roundcube-auth.conf: added missing entry `journalmatch` from original gh-1783. 2017-06-26 09:24:10 +00:00
			`journalmatch = SYSLOG_IDENTIFIER=roundcube`

BF/ENH: DoS resistant roundcube-auth with test cases and more variation in IMAP error given 2013-11-12 07:57:01 +00:00			`# DEV Notes:`
			`#`
			`# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180`
			`#`
			`# Part after <HOST> comes straight from IMAP server up until the " in ....."`
			`# Earlier versions didn't log the IMAP response hence optional.`
			`#`
			`# DoS resistance:`
			`#`
			`# Assume that the user can inject "from <HOST>" into the imap response`
DOC: some typos, fixes from Vincent Lefevre 2014-01-07 04:38:52 +00:00			`# somehow. Write test cases around this to ensure that the combination of`
			`# arbitrary user input and IMAP response doesn't inject the wrong IP for`
BF/ENH: DoS resistant roundcube-auth with test cases and more variation in IMAP error given 2013-11-12 07:57:01 +00:00			`# fail2ban`
			`#`
Update regex to work with roundcube 1.0.5 on CentOS 6 2015-04-30 18:09:20 +00:00			`# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens`