40 lines
1.5 KiB
Plaintext
40 lines
1.5 KiB
Plaintext
# Fail2Ban configuration file for roundcube web server
|
|
#
|
|
# By default failed logins are printed to 'errors'. The first regex matches those
|
|
# The second regex matches those printed to 'userlogins'
|
|
# The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php
|
|
#
|
|
# The logpath in your jail can be updated to userlogins if you wish
|
|
#
|
|
|
|
[INCLUDES]
|
|
|
|
before = common.conf
|
|
|
|
[Definition]
|
|
|
|
prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$
|
|
|
|
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
|
|
^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
|
|
|
|
ignoreregex =
|
|
|
|
journalmatch = SYSLOG_IDENTIFIER=roundcube
|
|
|
|
# DEV Notes:
|
|
#
|
|
# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
|
|
#
|
|
# Part after <HOST> comes straight from IMAP server up until the " in ....."
|
|
# Earlier versions didn't log the IMAP response hence optional.
|
|
#
|
|
# DoS resistance:
|
|
#
|
|
# Assume that the user can inject "from <HOST>" into the imap response
|
|
# somehow. Write test cases around this to ensure that the combination of
|
|
# arbitrary user input and IMAP response doesn't inject the wrong IP for
|
|
# fail2ban
|
|
#
|
|
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens
|