Control Web Panel
WebPanel => E-Mail => Topic started by: diogo-plta on October 15, 2024, 11:57:09 PM
-
I didn't find any specific option about Roundcube in CSF.
Is there any possibility to block user ip if more than 3 failed login attempts in Roundcube? using CSF or some other mechanism?
Roundcube login looks very vulnerable.
-
Try to set the option:
$config['log_logins']in:
/usr/local/cwpsrv/var/services/roundcube/config/defaults.inc.php
to "true" then edit the file /etc/csf/csf.conf and change:
CUSTOM3_LOG = "/var/log/customlog"to
CUSTOM3_LOG = "/usr/local/cwpsrv/var/services/roundcube/logs/userlogins.log"Restart CSF and see if it blocks IP if the IP generates too many failed login attempts.
Additionally I recommend you to add your own IP to the whitelist before you perform any tests.
-
thank you cyberspace, it's a nice begin!
but don't work if is not set a custom regex on /usr/local/csf/bin/regex.custom.pm to identify the "Failed login".
Example on regex.custom.pm:
# CWP Failed Login Protection
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+)\s+Failed Login from:\s+(\S+) on: (\S+)/)) {
return ("Failed CWP-Login login for User: $1 from IP: $2 URL: $3",$2,"cwplogin","5","2030,2031","1");
}
Reference explain this code: https://docs.danami.com/juggernaut/user-guide/login-failure-custom-triggers (https://docs.danami.com/juggernaut/user-guide/login-failure-custom-triggers)
I don't know regex, so I'm trying to make one. Can someone help or have this regex?
The roundcube log with filed login exemple:
[16-Oct-2024 11:06:21 +0000]: <pidual7q> Failed login for gfdgfd from 127.0.0.1(X-Real-IP: 177.19.57.777,X-Forwarded-For: 177.19.57.245) in session pidual7q9hjruj15 (error: 0)
[16-Oct-2024 11:29:33 +0000]: <hi7i5n10> Failed login for jdjd from 127.0.0.1(X-Real-IP: 177.50.21.777,X-Forwarded-For: 177.50.21.126) in session hi7i5n10h617j2u6 (error: 0)
[16-Oct-2024 11:29:43 +0000]: <hi7i5n10> Failed login for jdjd from 127.0.0.1(X-Real-IP: 177.50.21.387,X-Forwarded-For: 177.50.21.126) in session hi7i5n10h617j2u6 (error: 0)
-
I think to catch the IP address you can use the following regexp:
$line =~ /Failed login.*X-Real-IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),X-Forwarded-For/
and the function return should look like:
return ("Failed Roundcube login attempt from IP: $1",$1,"roundcubelogin","5","2095,2096","300","0");
Additionally, I think you need to pay attention to "CUSTOM1_LOG", set it to the correct CUSTOMX_LOG.
-
If the above "return()" doesn't work then change it to:
return ("Failed Roundcube login attempt from IP: $1",$1,"roundcubelogin","5","80,443,2095,2096","300","0");
and test again (we block the ports 80,443,2095,2096 for the abuser).
-
tested and passed! thank you very mutch.
the custom rule to /usr/local/csf/bin/regex.custom.pm, 5 attempts of login, temporary block for 300s, ports 2095,2096 (if LF_SELECT is enabled otherwise all access blocked):
if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /Failed login.*X-Real-IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),X-Forwarded-For/)) {
return ("Failed Roundcube login attempt from IP:",$1,"roundcubelogin","5","2095,2096","300","0");
}
restart csf and lfd, try wrong logins and check /var/log/lfd.log:
Oct 16 15:19:09 one lfd[389884]: (roundcubelogin) Failed Roundcube login attempt from IP: 177.50.21.90 (BR/Brazil/xxx.xxx.50.858.isp.timbrasil.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
-
Excellent! However, I recommend to use the second variant of "return()":
return ("Failed Roundcube login attempt from IP: $1",$1,"roundcubelogin","5","80,443,2095,2096","300","0");
because Roundcube/webmail can be accessed in different ways. Therefore the ports 80,443,2095,2096 must be blocked for the abuser.
-
I have LF_SELECT disabled, so all access is blocked, don't filter by port.