how to block user ip if tried x attempts login failed in Roundcube

I didn't find any specific option about Roundcube in CSF.

Is there any possibility to block user ip if more than 3 failed login attempts in Roundcube? using CSF or some other mechanism?

Roundcube login looks very vulnerable.

Try to set the option:

Code: [Select]

$config['log_logins']in:
/usr/local/cwpsrv/var/services/roundcube/config/defaults.inc.php
to "true" then edit the file /etc/csf/csf.conf and change:

Code: [Select]

CUSTOM3_LOG = "/var/log/customlog"to

Code: [Select]

CUSTOM3_LOG = "/usr/local/cwpsrv/var/services/roundcube/logs/userlogins.log"Restart CSF and see if it blocks IP if the IP generates too many failed login attempts.


Additionally I recommend you to add your own IP to the whitelist before you perform any tests.

thank you cyberspace, it's a nice begin!

but don't work if is not set a custom regex on /usr/local/csf/bin/regex.custom.pm to identify the "Failed login".

Example on regex.custom.pm:

# CWP Failed Login Protection
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+)\s+Failed Login from:\s+(\S+) on: (\S+)/)) {
               return ("Failed CWP-Login login for User: $1 from IP: $2 URL: $3",$2,"cwplogin","5","2030,2031","1");
}

Reference explain this code: https://docs.danami.com/juggernaut/user-guide/login-failure-custom-triggers

I don't know regex, so I'm trying to make one. Can someone help or have this regex?


The roundcube log with filed login exemple:

[16-Oct-2024 11:06:21 +0000]: <pidual7q> Failed login for gfdgfd from 127.0.0.1(X-Real-IP: 177.19.57.777,X-Forwarded-For: 177.19.57.245) in session pidual7q9hjruj15 (error: 0)
[16-Oct-2024 11:29:33 +0000]: <hi7i5n10> Failed login for jdjd from 127.0.0.1(X-Real-IP: 177.50.21.777,X-Forwarded-For: 177.50.21.126) in session hi7i5n10h617j2u6 (error: 0)
[16-Oct-2024 11:29:43 +0000]: <hi7i5n10> Failed login for jdjd from 127.0.0.1(X-Real-IP: 177.50.21.387,X-Forwarded-For: 177.50.21.126) in session hi7i5n10h617j2u6 (error: 0)

I think to catch the IP address you can use the following regexp:

Code: [Select]

$line =~ /Failed login.*X-Real-IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),X-Forwarded-For/
and the function return should look like:

Code: [Select]

return ("Failed Roundcube login attempt from IP: $1",$1,"roundcubelogin","5","2095,2096","300","0");
Additionally, I think you need to pay attention to "CUSTOM1_LOG", set it to the correct CUSTOMX_LOG.

If the above "return()" doesn't work then change it to:

Code: [Select]

return ("Failed Roundcube login attempt from IP: $1",$1,"roundcubelogin","5","80,443,2095,2096","300","0");
and test again (we block the ports 80,443,2095,2096 for the abuser).

tested and passed! thank you very mutch.

the custom rule to /usr/local/csf/bin/regex.custom.pm, 5 attempts of login, temporary block for 300s, ports 2095,2096 (if LF_SELECT is enabled otherwise all access blocked):

Code: [Select]

if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /Failed login.*X-Real-IP:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),X-Forwarded-For/)) {
        return ("Failed Roundcube login attempt from IP:",$1,"roundcubelogin","5","2095,2096","300","0");
}
restart csf and lfd, try wrong logins and check /var/log/lfd.log:

Oct 16 15:19:09 one lfd[389884]: (roundcubelogin) Failed Roundcube login attempt from IP: 177.50.21.90 (BR/Brazil/xxx.xxx.50.858.isp.timbrasil.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]

Excellent! However, I recommend to use the second variant of "return()":

Code: [Select]

return ("Failed Roundcube login attempt from IP: $1",$1,"roundcubelogin","5","80,443,2095,2096","300","0");
because Roundcube/webmail can be accessed in different ways. Therefore the ports 80,443,2095,2096 must be blocked for the abuser.

I have LF_SELECT disabled, so all access is blocked, don't filter by port.