From d3ae70beb6f73f289843157307f079678c156457 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 19 Jun 2017 18:05:29 +0200 Subject: [PATCH] filter.d/roundcube-auth.conf: Use the same filter-file and jail also when logging errors to journal instead to a local file. Additionally fixes more complex injections on username. --- config/filter.d/roundcube-auth.conf | 6 ++++-- config/filter.d/roundcube.conf | 21 --------------------- config/jail.conf | 6 ++---- fail2ban/tests/files/logs/roundcube | 4 ---- fail2ban/tests/files/logs/roundcube-auth | 19 +++++++++++++++---- 5 files changed, 21 insertions(+), 35 deletions(-) delete mode 100644 config/filter.d/roundcube.conf delete mode 100644 fail2ban/tests/files/logs/roundcube diff --git a/config/filter.d/roundcube-auth.conf b/config/filter.d/roundcube-auth.conf index 886cf2d6..bab62651 100644 --- a/config/filter.d/roundcube-auth.conf +++ b/config/filter.d/roundcube-auth.conf @@ -13,8 +13,10 @@ before = common.conf [Definition] -failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from (\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$ - ^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from in session \w+( \(error: \d\))?$ +prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: .+$ + +failregex = ^(?:FAILED login|Login failed) for .* from (\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$ + ^(?:<[\w]+> )?Failed login for .* from in session \w+( \(error: \d\))?$ ignoreregex = # DEV Notes: diff --git a/config/filter.d/roundcube.conf b/config/filter.d/roundcube.conf deleted file mode 100644 index 9665883b..00000000 --- a/config/filter.d/roundcube.conf +++ /dev/null @@ -1,21 +0,0 @@ -# Fail2Ban configuration file for roundcube web server authentication failures -# -# This filter needs "$config['log_driver']" set to "syslog" in the roundcube configuration -# - -[INCLUDES] - -before = common.conf - -[Definition] - -failregex = ^%(__prefix_line)sroundcube\[(\d*)\]: <\S* IMAP Error: Login failed for (\S*) from \..*$ - -ignoreregex = - -[Init] - -backend = systemd - -journalmatch = SYSLOG_IDENTIFIER=roundcube - diff --git a/config/jail.conf b/config/jail.conf index bd9ba876..21bc898e 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -379,14 +379,12 @@ logpath = %(lighttpd_error_log)s # Webmail and groupware servers # -[roundcube] -port = http,https -backend = %(syslog_backend)s - [roundcube-auth] port = http,https logpath = %(roundcube_errors_log)s +# Use following line in your jail.local if roundcube logs to journal. +#backend = %(syslog_backend)s [openwebmail] diff --git a/fail2ban/tests/files/logs/roundcube b/fail2ban/tests/files/logs/roundcube deleted file mode 100644 index b491fa2b..00000000 --- a/fail2ban/tests/files/logs/roundcube +++ /dev/null @@ -1,4 +0,0 @@ -May 19 06:07:48 server roundcube[21296]: IMAP Error: Login failed for test from 178.191.91.44. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login) -May 19 06:11:37 server roundcube[22926]: IMAP Error: Login failed for test from 178.191.91.44. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login) -May 19 06:13:18 server roundcube[21528]: IMAP Error: Login failed for test from 178.191.91.44. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login) -May 19 06:36:53 server roundcube[27572]: IMAP Error: Login failed for test from 178.191.91.44. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login) diff --git a/fail2ban/tests/files/logs/roundcube-auth b/fail2ban/tests/files/logs/roundcube-auth index 26868c3e..8c491b38 100644 --- a/fail2ban/tests/files/logs/roundcube-auth +++ b/fail2ban/tests/files/logs/roundcube-auth @@ -8,19 +8,27 @@ Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 1. # Made up to attempts to inject a DoS on the server. Assume the user can manipulate the IMAP error response # # user = admin from 127.0.0.1 -# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 1" } Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login) +# user = admin from 127.0.0.1. +# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 1 (with dot)" } +Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1. from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login) +# # # IMAP server logs user=${username} -# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 2" } Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login) # +# IMAP server logs user=${username} +# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 2 (with dot)" } +Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1. from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login) +# # Old roundcube version - no IMAP response -# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 3" } Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4 # # user = admin from 127.0.0.1 in -# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 4" } Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 in from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login) # Roundcube 1.0.5 CentOS 6 (/var/log/roundcubemail/errors) @@ -40,3 +48,6 @@ Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 12 # Roundcube 1.1.1 (/var/log/roundcubemail/userlogins) # failJSON: { "time": "2015-05-10T19:02:52", "match": true , "host": "1.2.3.4" } [10-May-2015 13:02:52 -0400]: <4z506z6r> Failed login for admin@example.com from 1.2.3.4 in session 4z506z6rvddstv6k7jz08hxo27 (error: 0) + +# failJSON: { "time": "2005-05-19T06:07:48", "match": true , "host": "192.0.2.1", "desc": "Roundcube logged to journald instead to a local file."} +May 19 06:07:48 server roundcube[21296]: IMAP Error: Login failed for test from 192.0.2.1. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login)