Fail2ban and webmail roundcube

roundcubemail
fail2ban
ns7
email

(And) #1

NethServer Version: 7.5.1804 (final) + last update
Module: Email, Webmail, Fail2ban
Hi!

I use email+webmail(roundcube).

I installed fail2ban from NS-Software Center

And setup ‘Allow bans on the LAN’ in NS-Fail2ban

I try enter incorrect password to webmail roundcube

And it’s nothing, fal2ban not block IP address and not show status ‘Banned IP’.

I see /etc/fail2ban/jail.local config

[roundcube-auth]
enabled = true
port = 80,443
logpath = /var/log/roundcubemail/errors
maxretry = 3

but in /var/log/roundcubemail/errors file not entries fail authentification

i create custom template and change it to

[roundcube-auth]
enabled = true
port = 80,443
logpath = /var/log/roundcubemail/errors.log
maxretry = 3

and it works fine

please check and test it

it bug?

Sorry for my English…


Nethserver behind reversproxy
(Stéphane de Labrusse) #2

yes it seems, thank for report it


(And) #3

Hi!

i think found new problem with fail2ban and roundecube!

my Lan scheme

[internet] — [NS7(gateway,proxy, ReverseProxy etc)] ---- [LAN]— PC1, PCn …----[NS7(emai,webmail, roundcube, fail2ban)]

my email+webmail+fail2ban server inside in LAN and for LAN users fail2ban work ok

i config reverseproxy for access external users to my server roundcube.
and fal2ban not block IP address external users and not show status ‘Banned IP’

i see

/var/log/roundcubemail/errors.log

and see next entries, for example

[26-Sep-2018 20:08:15 +0500]: IMAP Error: Login failed for ib from 192.168.XXX.XXX(X-Forwarded-For: XXX.XXX.XXX.XXX). AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)

i see ip address 192.168.XXX.XXX - its IP my NS7(gateway,proxy, ReverseProxy etc) internal LAN
and see X-Forwarded-For: XXX.XXX.XXX.XXX its real users external IP
i think fail2ban not matched if see X-Forwarded-For: XXX.XXX.XXX.XXX

if entries look like

[26-Sep-2018 18:52:26 +0500]: IMAP Error: Login failed for ib from 192.168.XXX.XXX. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)

without string X-Forwarded-For
it work and fail2ban work ok

Sorry my English…


(And) #4

I think the problem is in the file

/etc/file2ban/filter.d/roundcube-auth.conf

in the variable

failregex

should be added.
But how? i dont no.


(Stéphane de Labrusse) #5

would you mind to test this rpm :

yum install http://packages.nethserver.org/nethserver/7.5.1804/autobuild/x86_64/Packages/nethserver-fail2ban-1.0.6-1.2.pr40.g56775af.ns7.noarch.rpm

it only corrects the log path to the correct one, please test and report


(Stéphane de Labrusse) #6

we could not cover all corner cases done by custom customization, at least now. That’s said this is right for all web applications you have on your server (phpmyadmin, sogo, …)

you could make a filter.local

/etc/fail2ban/filter.d/roundcube-auth.local
copy all the regex and add one more…not tested you should adapt it

^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from * (X-Forwarded-For: <HOST>)(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$

you have a tools for that http://docs.nethserver.org/en/latest/fail2ban.html#fail2ban-regex


(And) #7

work fine, thank you!


(And) #8

not worked
i create file roundcube-auth.local

[INCLUDES]

before = common.conf

[Definition]

failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
            ^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from <HOST> in session \w+( \(error: \d\))?$
            ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from * (X-Forwarded-For: <HOST>)(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$

ignoreregex =

test it
fail2ban-regex /var/log/roundcubemail/errors.log /etc/fail2ban/filter.d/roundcube-auth.local

Running tests
=============

Use   failregex filter file : roundcube-auth, basedir: /etc/fail2ban
Use         log file : /var/log/roundcubemail/errors.log
Use         encoding : UTF-8


Results
=======

Failregex: 70 total
|-  #) [# of hits] regular expression
|   1) [70] ^\s*(\[\])?(\S+\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [112] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 112 lines, 0 ignored, 70 matched, 42 missed
[processed in 0.02 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 42 lines

‘X-Forwarded-For’ missed
[28-Sep-2018 11:29:58 +0500]: <bvdem97f> IMAP Error: Login failed for ib from 192.168.XX.XX(X-Forwarded-For: XXX.XXX.XXX.XXX). AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)
may be i some thing wrong do?


(Stéphane de Labrusse) #9

you matched the regex 70 times :-?

add --print-all-matched to check what you matched


(Giacomo Sanchietti) #10

@stephdl already fixed the bug! :clap:

@xcod would you like to do the QA?


(And) #11

i tested it
work fine
no more questions


(And) #12

matched if like look
[28-Sep-2018 11:25:06 +0500]: <ta0bma91> IMAP Error: Login failed for ib from 192.168.XX.XX. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)

missed if like look
[28-Sep-2018 11:29:58 +0500]: <bvdem97f> IMAP Error: Login failed for ib from 192.168.XX.XX(X-Forwarded-For: XXX.XXX.XXX.XXX). AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)

or do you want me to put all the lines here? matched and missed
they are identical


(Giacomo Sanchietti) #13

Released!


(Stéphane de Labrusse) #14

you need to adapt the regex, .*?\ will help you to create the regex


(Stéphane de Labrusse) #15

they are not identical (X-Forwarded-For: XXX.XXX.XXX.XXX) is the key of your issue


(And) #16

Hi!
i think, you don understand me.
create errors.log file and put two string

[28-Sep-2018 11:25:06 +0500]: <ta0bma91> IMAP Error: Login 
failed for ib from 192.168.XX.XX. AUTHENTICATE PLAIN: Password: in 
/usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 
197 (POST /webmail/?_task=login?_task=login&_action=login)

and

[28-Sep-2018 11:29:58 +0500]: <bvdem97f> IMAP Error: Login 
failed for ib from 192.168.XX.XX(X-Forwarded-For: XXX.XXX.XXX.XXX). 
AUTHENTICATE PLAIN: Password: in 
/usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 
197 (POST /webmail/?_task=login?_task=login&_action=login)

create roundcube-auth.local with your changes.
and test it
fail2ban-regex errors.log roundcube-auth.local

you are see 1 matched and 1 missed
but should be 2 matched.

Sorry my English …


(Stéphane de Labrusse) #17

Sorry but like I stated it was just an information, I did not spend time on it, you should adapt the regex to this case


(Stéphane de Labrusse) #18

in /etc/fail2ban/filter.d/roundcube-auth.conf

failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
            ^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from <HOST> in session \w+( \(error: \d\))?$
            ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from .*\(X-Forwarded-For: <HOST>\)(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$

restart fail2ban

systemctl restart fail2ban

this change will be overwritten by the next fail2ban update