¿En qué podemos ayudarte?
Pasos
- Crear el plugin de fail2ban en roundcube
- Hacer intentos de login fallidos
- Validar que se haya ccreado el archivo log
- Crear el filtro de fail2ban
- Validar que la regla haga match
- Crear el jail en la configuracion
- ver que la configuracion funciona
Crear el plugin de fail2ban en roundcube
Irse al directorio de instalacion de roundcube en el caso de ubuntu en /etc/roundcube.
cd /etc/roundcube/plugins
mkdir fail2ban
cd fail2ban
nano composer.json
{
"name": "fail2ban",
"description": "displays failed login attempts in your syslog or userlogins log file",
"keywords": ["fail2ban", "security"],
"homepage": "https://github.com/mattrude/rc-plugin-fail2ban",
"license": "GPL-3.0",
"type": "roundcube-plugin",
"version": "1.2",
"extra": {
"roundcube": {
"min-version": "0.3"
}
}
}nano fail2ban.php
<?php
/**
* RoundCube Fail2Ban Plugin
*
* @version 1.1
* @author Matt Rude [m@mattrude.com]
* @url http://mattrude.com/plugins/roundcube-fail2ban-plugin/
* @license GPLv3
*/
class fail2ban extends rcube_plugin
{
function init()
{
$this->add_hook('login_failed', array($this, 'log'));
}
function log($args)
{
$log_entry = '[roundcube] FAILED login for ' .$args['user']. ' from ' .getenv('REMOTE_ADDR');
$log_config = rcmail::get_instance()->config->get('log_driver');
$log_dir = rcmail::get_instance()->config->get('log_dir');
if ($log_config == 'syslog'){
syslog(LOG_WARNING, $log_entry);
} elseif ($log_config == 'file'){
error_log('['.date('d-M-Y H:i:s O')."]: ".$log_entry."\n", 3, $log_dir."/userlogins");
} else {
echo 'WARNING!! The RoundCube Fail2Ban Plugin was unable to retrieve the log driver from the config, please check your config file for log_driver.';
}
}
}
?>nano /etc/roundcube/config.inc.php
// List of active plugins (in plugins/ directory)
//agregar 'fail2ban', en esta seccion
$config['plugins'] = array(
'archive',
'zipdownload',
'fail2ban',
);systemctl restart apache2
ls -alF /var/log/roundcube/
debe estar crado el archivo userlogins
-rw-r--r-- 1 www-data www-data 258 Dec 30 05:08 userloginsHacer intentos de login fallidos
Conectarse a la pagina de inicio y hacer intentos fallidos, regresar al archivo userlogins y verificar que se esten capturando las entradas bien.
cat /var/log/roundcube/userlogins
chanoc@mx1:/etc/roundcube$ sudo cat /var/log/roundcube/userlogins
[30-Dec-2019 04:47:06 -0500]: [roundcube] FAILED login for perro from 187.190.242.205
[30-Dec-2019 05:08:07 -0500]: [roundcube] FAILED login for perro from 187.190.242.205
[30-Dec-2019 05:08:44 -0500]: [roundcube] FAILED login for cachi from 187.190.242.205Crear el filtro de fail2ban
nano /etc/fail2ban/filter.d/roundcube.conf
[Definition]
failregex = FAILED login for .*. from <HOST>
ignoreregex =Validar que la regla haga match
fail2ban-regex /var/log/roundcube/userlogins /etc/fail2ban/filter.d/roundcube.conf
Para saber si esta haciendo match este reporte debe mostrar un numero en Failregex: 3 total y 3 matched lo que significa que si esta cachando los errores del log
chanoc@mx1:/etc/roundcube$ sudo fail2ban-regex /var/log/roundcube/userlogins /etc/fail2ban/filter.d/roundcube.conf
Running tests
=============
Use failregex filter file : roundcube, basedir: /etc/fail2ban
Use log file : /var/log/roundcube/userlogins
Use encoding : ANSI_X3.4-1968
Results
=======
Failregex: 3 total
|- #) [# of hits] regular expression
| 1) [3] FAILED login for .*. from <HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [3] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 3 lines, 0 ignored, 3 matched, 0 missed [processed in 0.00 sec]
Crear el jail en la configuracion
nano /etc/fail2ban/jail.local
[roundcube]
enabled = true
port = http,https
filter = roundcube
action = iptables-multiport[name=roundcube, port="http,https"]
logpath = /var/lib/roundcube/logs/userloginssystemctl restart fail2ban
ver que la configuracion funciona
tail -f /var/log/fail2ban.log
La salida debe mostrar los intentos de acceso a roundcube
2019-12-30 11:49:25,376 fail2ban.filter [18942]: INFO [postfix-sasl] Found 45.82.153.143
2019-12-30 11:49:45,065 fail2ban.filter [18942]: INFO [postfix-sasl] Found 45.82.153.143
2019-12-30 11:49:47,373 fail2ban.filter [18942]: INFO [sshd] Found 114.84.151.172
2019-12-30 11:49:52,272 fail2ban.filter [18942]: INFO [sshd] Found 122.51.112.109
2019-12-30 11:51:07,189 fail2ban.filter [18942]: INFO [named-refused-udp] Found 213.136.95.11
2019-12-30 11:51:07,197 fail2ban.filter [18942]: INFO [named-refused-udp] Found 213.136.95.11
2019-12-30 11:51:07,296 fail2ban.filter [18942]: INFO [named-refused-udp] Found 213.136.95.11
2019-12-30 11:51:07,308 fail2ban.filter [18942]: INFO [named-refused-udp] Found 213.136.95.11
2019-12-30 11:51:07,406 fail2ban.filter [18942]: INFO [named-refused-udp] Found 213.136.95.11
2019-12-30 11:51:07,573 fail2ban.actions [18942]: NOTICE [named-refused-udp] Ban 213.136.95.11
2019-12-30 11:52:00,241 fail2ban.filter [18942]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2019-12-30 11:52:01,241 fail2ban.filter [18942]: INFO [roundcube] Found 187.190.242.205
2019-12-30 11:52:09,704 fail2ban.actions [18942]: NOTICE [postfix-sasl] Unban 92.118.38.56