Bug Report - Fail2Ban Roundcube

[Josh12]

So this fail2ban jail bans the server IP rather than the "x-real IP". This is not correct.
We want fail2ban to ban the person failing the roundcube login not the server itself. The regex is incorrect. You can fix this by making the changes posted below.

Find roundcube filter.d file and change the regex to look like below

[Definition]
failregex = (.*) Error: Login failed for (.*) from (.*)\WX-Real-IP: <HOST>(.*)
ignoreregex =

 

[UFHH01]

Fail2ban is an "integrated" third party package, which means, that Parallels itself doesn't configure the stable releases from the official sources - it takes the version and might add filters, but will never configure existent filters from the source. The informations at the standard "roundcube-auth" - filter describe, that you might have to modify the standard - regex, depending on your system, log - configurations and their outputs.

# Assume that the user can inject "from <HOST>" into the imap response

# somehow. Write test cases around this to ensure that the combination of
# arbitrary user input and IMAP response doesn't inject the wrong IP for
# fail2ban

The provided solution from Josh12 might work on his system, but be sure, to use the fail2ban - regex - test

fail2ban-regex /var/log/plesk-roundcube/errors /etc/fail2ban/filter.d/roundcube-auth.conf​

... to be sure, that it does work on your system, with your configuration as well.


And no... this is not a BUG... you might see at https://github.com/fail2ban/fail2ban/tree/master/config/filter.d , that the latest standard filters from the official source are being used in Plesk... some filters just need some user modifications, depending on their system configurations.

 

[Josh12]

Hi,
My apologies, you're right it's a bug with the main fail2ban package, not plesk. (This is what happens when you're doing 10 things at once ha) What they failed to realize is that the "from host" reported is always going to be the server IP roundcube is hosted on, not the user's actual IP. That's why the regex must be changed to use the X-Real or X-Forwarded IP. Otherwise I'm just banning my own server's public IP from itself. That's ridiculous.

As long as your error output is the same in your log file, my regex will work fine. I tested the new regex extensively today and it is now banning offending IPs rather than itself.

 

[UFHH01]

The "normal" configuration should exclude your server IP(s) anyway, because you should definetly set the " ignoreip = 127.0.0.1/8 XXX.XXX.XXX.XXX XXX.XXX.XXX.XXY XXX.XXX.XXX.XXZ " ( or please do it over the Plesk Panel - fail2ban configuration settings.

 

[Josh12]

I have my own server IP as trusted. The log still outputs what's shown below. Therefore I am under the impression the regex should match up to the way the log outputs?
Login failed for [email protected] from ServerIP(X-Real-IP: UserIP

 

[UFHH01]

Hi Josh12,

but again, this is your output in your roundcube - log ... and as I wrote above, other system - configurations can have other outputs in their logs - that's why the informations in the filter declare, that the standard - regex might not work on all systems and that you should adjust the regex based on your own, specific configurations and log - outputs. Yes, you are right, the original fail2ban - source could as well include more regex - lines, in order to include more possible configurations, but unfortunately, the original source does only includes one possible configuration.

You are able to request changes / addons / modifications for the original source at: https://github.com/fail2ban/fail2ban/pulls