Make Fail2ban monitor Roundcube authentication access

Posted: 04/09/2012 in Fail2ban
Tags: ,

To make fail2ban monitor roundcube 0.8+ authentication access in logs/errors add this to
/etc/fail2ban/jail.conf or /etc/fail2ban/jail.local

[roundcube]
enabled = true
port = http,https
filter = roundcube
logpath = /var/lib/roundcube/logs/errors
maxretry = 3


also create a new file to /etc/fail2ban/filter.d/roundcube.conf and add this content

[Definition]
failregex = (.*) Login failed for (.*) from \.
ignoreregex =

restart fail2ban and you are ready ; )

Advertisements
Comments
  1. vi /etc/fail2ban/jail.local

    [roundcube]

    enabled = true
    port = http,https
    filter = roundcube
    logpath = /var/log/syslog
    bantime = 31536000
    maxretry = 10

    vi /etc/fail2ban/filter.d/roundcube.conf

    # Fail2Ban configuration file
    #
    [INCLUDES]
    #
    # Read common prefixes. If any customizations available — read them from
    # common.local
    before = common.conf
    #
    [Definition]
    failregex = ^%(__prefix_line)sFAILED login for .* from $
    #
    ignoreregex =
    #
    # EOF

  2. dude … you forgot in

    failregex = (.*) Login failed for (.*) from \.

    and when you want to get a full-text mail-notification … use:

    failregex = ^%(__prefix_line)sFAILED login for .* from $

  3. Dan Black says:

    Fail2ban now includes a roundcube filter by default: https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/roundcube-auth.conf which works on raw roundcube logs and roundcube syslog files too.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s