filter.d/roundcube-auth.conf: Use the same filter-file and jail also when logging errors to journal instead to a local file.

Additionally fixes more complex injections on username.
pull/1783/head
sebres 2017-06-19 18:05:29 +02:00
parent 691c080dc7
commit d3ae70beb6
5 changed files with 21 additions and 35 deletions

View File

@ -13,8 +13,10 @@ before = common.conf
[Definition]
failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from <HOST> in session \w+( \(error: \d\))?$
prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
ignoreregex =
# DEV Notes:

View File

@ -1,21 +0,0 @@
# Fail2Ban configuration file for roundcube web server authentication failures
#
# This filter needs "$config['log_driver']" set to "syslog" in the roundcube configuration
#
[INCLUDES]
before = common.conf
[Definition]
failregex = ^%(__prefix_line)sroundcube\[(\d*)\]: <\S* IMAP Error: Login failed for (\S*) from <HOST>\..*$
ignoreregex =
[Init]
backend = systemd
journalmatch = SYSLOG_IDENTIFIER=roundcube

View File

@ -379,14 +379,12 @@ logpath = %(lighttpd_error_log)s
# Webmail and groupware servers
#
[roundcube]
port = http,https
backend = %(syslog_backend)s
[roundcube-auth]
port = http,https
logpath = %(roundcube_errors_log)s
# Use following line in your jail.local if roundcube logs to journal.
#backend = %(syslog_backend)s
[openwebmail]

View File

@ -1,4 +0,0 @@
May 19 06:07:48 server roundcube[21296]: <crk9n97i> IMAP Error: Login failed for test from 178.191.91.44. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login)
May 19 06:11:37 server roundcube[22926]: <crk9n97i> IMAP Error: Login failed for test from 178.191.91.44. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login)
May 19 06:13:18 server roundcube[21528]: <crk9n97i> IMAP Error: Login failed for test from 178.191.91.44. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login)
May 19 06:36:53 server roundcube[27572]: <crk9n97i> IMAP Error: Login failed for test from 178.191.91.44. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login)

View File

@ -8,19 +8,27 @@ Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 1.
# Made up to attempts to inject a DoS on the server. Assume the user can manipulate the IMAP error response
#
# user = admin from 127.0.0.1
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 1" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
# user = admin from 127.0.0.1.
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 1 (with dot)" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1. from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
#
#
# IMAP server logs user=${username}
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 2" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
#
# IMAP server logs user=${username}
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 2 (with dot)" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1. from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
#
# Old roundcube version - no IMAP response
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 3" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4
#
# user = admin from 127.0.0.1 in
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 4" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 in from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
# Roundcube 1.0.5 CentOS 6 (/var/log/roundcubemail/errors)
@ -40,3 +48,6 @@ Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 12
# Roundcube 1.1.1 (/var/log/roundcubemail/userlogins)
# failJSON: { "time": "2015-05-10T19:02:52", "match": true , "host": "1.2.3.4" }
[10-May-2015 13:02:52 -0400]: <4z506z6r> Failed login for admin@example.com from 1.2.3.4 in session 4z506z6rvddstv6k7jz08hxo27 (error: 0)
# failJSON: { "time": "2005-05-19T06:07:48", "match": true , "host": "192.0.2.1", "desc": "Roundcube logged to journald instead to a local file."}
May 19 06:07:48 server roundcube[21296]: <crk9n97i> IMAP Error: Login failed for test from 192.0.2.1. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login)