mirror of https://github.com/fail2ban/fail2ban
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 lines
1.5 KiB
38 lines
1.5 KiB
# Fail2Ban configuration file for roundcube web server |
|
# |
|
# By default failed logins are printed to 'errors'. The first regex matches those |
|
# The second regex matches those printed to 'userlogins' |
|
# The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php |
|
# |
|
# The logpath in your jail can be updated to userlogins if you wish |
|
# |
|
|
|
[INCLUDES] |
|
|
|
before = common.conf |
|
|
|
[Definition] |
|
|
|
prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: (?:<[\w]+> )?<F-CONTENT>.+</F-CONTENT>$ |
|
|
|
failregex = ^(?:Login failed|(?i:Failed) login) for <F-USER>(?:(?P<simple>\S+)|.*)</F-USER> (?:against \S+ )?from <ADDR>(?:(?:\([^\)]*\))?\.(?! from ) (?(simple)(?:\S+(?! from ) )*|(?:(?! from ).)*(?: user=(?P=user))? )in \S+\.php on line \d+| in session \w+)?(?: \([^\)]*\))?$ |
|
|
|
ignoreregex = |
|
|
|
journalmatch = SYSLOG_IDENTIFIER=roundcube |
|
|
|
# DEV Notes: |
|
# |
|
# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180 |
|
# |
|
# Part after <HOST> comes straight from IMAP server up until the " in ....." |
|
# Earlier versions didn't log the IMAP response hence optional. |
|
# |
|
# DoS resistance: |
|
# |
|
# Assume that the user can inject "from <HOST>" into the imap response |
|
# somehow. Write test cases around this to ensure that the combination of |
|
# arbitrary user input and IMAP response doesn't inject the wrong IP for |
|
# fail2ban |
|
# |
|
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens
|
|
|