diff --git a/config/filter.d/roundcube.conf b/config/filter.d/roundcube.conf new file mode 100644 index 00000000..9665883b --- /dev/null +++ b/config/filter.d/roundcube.conf @@ -0,0 +1,21 @@ +# Fail2Ban configuration file for roundcube web server authentication failures +# +# This filter needs "$config['log_driver']" set to "syslog" in the roundcube configuration +# + +[INCLUDES] + +before = common.conf + +[Definition] + +failregex = ^%(__prefix_line)sroundcube\[(\d*)\]: <\S* IMAP Error: Login failed for (\S*) from \..*$ + +ignoreregex = + +[Init] + +backend = systemd + +journalmatch = SYSLOG_IDENTIFIER=roundcube + diff --git a/config/jail.conf b/config/jail.conf index 135c9a2b..bd9ba876 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -379,6 +379,10 @@ logpath = %(lighttpd_error_log)s # Webmail and groupware servers # +[roundcube] +port = http,https +backend = %(syslog_backend)s + [roundcube-auth] port = http,https diff --git a/fail2ban/tests/files/logs/roundcube b/fail2ban/tests/files/logs/roundcube new file mode 100644 index 00000000..b491fa2b --- /dev/null +++ b/fail2ban/tests/files/logs/roundcube @@ -0,0 +1,4 @@ +May 19 06:07:48 server roundcube[21296]: IMAP Error: Login failed for test from 178.191.91.44. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login) +May 19 06:11:37 server roundcube[22926]: IMAP Error: Login failed for test from 178.191.91.44. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login) +May 19 06:13:18 server roundcube[21528]: IMAP Error: Login failed for test from 178.191.91.44. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login) +May 19 06:36:53 server roundcube[27572]: IMAP Error: Login failed for test from 178.191.91.44. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login)