commit
9c3f31a45a
@ -0,0 +1,7 @@
|
|||||||
|
Copyright (c) 2024 Snep <snep@diskcat.com>
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
@ -0,0 +1,52 @@
|
|||||||
|
# Roundcube Mailcow Fail2Ban Plugin #
|
||||||
|
|
||||||
|
This is a small Roundcube plugin for [Mailcow-Dockerized](https://github.com/mailcow/mailcow-dockerized) environments, which integrates failed logins from Roundcube into Mailcows' Fail2Ban filter.
|
||||||
|
It writes an error message to the PHP-FPM log and the Fail2Ban Redis channel upon a failed login at the Roudncube web UI.
|
||||||
|
Both IPv4 and IPv6 are supported if your Mailcow is set up to use either or both.
|
||||||
|
|
||||||
|
## Installation ##
|
||||||
|
|
||||||
|
To install this plugin, you first need to download the plugin files into the right directory.
|
||||||
|
The following commands assume that your Mailcows' `docker-compose.yml` is located at `/opt/mailcow-dockerized`
|
||||||
|
and within that the directory `data/web/rc` containing your Roundcube installation.
|
||||||
|
Adjust this path if necessary.
|
||||||
|
|
||||||
|
```
|
||||||
|
wget -O /tmp/mailcow-f2b.tar.gz https://git.diskcat.com/Resneptacle/roundcube-mailcow-dockerized-fail2ban/archive/v1.0.tar.gz
|
||||||
|
tar -xvf /tmp/mailcow-f2b.tar.gz -C /tmp
|
||||||
|
mv /tmp/roundcube-mailcow-dockerized-fail2ban/mailcow_f2b /opt/mailcow-dockerized/data/web/rc/plugins
|
||||||
|
rm -r /tmp/mailcow-f2b.tar.gz /tmp/roundcube-mailcow-dockerized-fail2ban
|
||||||
|
```
|
||||||
|
|
||||||
|
After this, you need to enable the plugin, see below.
|
||||||
|
|
||||||
|
## Plugin Configuration ##
|
||||||
|
|
||||||
|
To enable the plugin, after you installed it into your Roundcube `plugin` directory, add `mailcow_f2b` to the enabled plugins list in the Roundcube `config.inc.php`,
|
||||||
|
which should be located at `/opt/mailcow-dockerized/data/web/rc/config/config.inc.php` following the above paths.
|
||||||
|
If you need to overwrite the default Redis connection data (Host `redis-mailcow`, Port `6379`), add the following configuration variables to your `config.inc.php`:
|
||||||
|
|
||||||
|
```
|
||||||
|
$config['mailcow_f2b_redis_host'] = "redis-mailcow";
|
||||||
|
$config['mailcow_f2b_redis_port'] = 6379;
|
||||||
|
```
|
||||||
|
|
||||||
|
The `config.inc.php.example` file in this directory shows where to add the `mailcow_f2b` plugin, in case you are unsure.
|
||||||
|
|
||||||
|
## Mailcow Configuration ##
|
||||||
|
|
||||||
|
For Mailcow to react to failed Roundcube logins, you need to add a custom Regex filter in the Mailcow Admin Panel.
|
||||||
|
For that, navigate to `System -> Configuration -> Options -> Fail2ban parameters`, scroll down to `[+] Regex filters` and click on it.
|
||||||
|
This will open a list of predefined regex filters that Fail2Ban looks for. Click on `Add row` and paste the following text into the newly added row:
|
||||||
|
|
||||||
|
```
|
||||||
|
roundcube: failed login from ([a-fA-F0-9:\.]+)
|
||||||
|
```
|
||||||
|
|
||||||
|
Remember to hit `Save changes` too!
|
||||||
|
Afterwards, Fail2Ban should start blocking IP addresses that generate failed login attemps above the thresholds set at the top of the Fail2Ban configuration page.
|
||||||
|
For more general information on Mailcows' Fail2Ban integration, [see here](https://docs.mailcow.email/manual-guides/mailcow-UI/u_e-mailcow_ui-netfilter/).
|
||||||
|
|
||||||
|
## Credits ##
|
||||||
|
|
||||||
|
This project is inspired by a [standalone Fail2Ban plugin for Roundcube](https://github.com/mattrude/rc-plugin-fail2ban) made by [@mattrude](https://github.com/mattrude) over on GitHub.
|
@ -0,0 +1,10 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
// ... <rest of roundcube config> ...
|
||||||
|
|
||||||
|
$config['plugins'] = array (
|
||||||
|
'mailcow_f2b'
|
||||||
|
);
|
||||||
|
|
||||||
|
$config['mailcow_f2b_redis_host'] = "redis-mailcow";
|
||||||
|
$config['mailcow_f2b_redis_port'] = 6379;
|
@ -0,0 +1,49 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Plugin to integrate Roundcube into Mailcow-Dockerizeds' Fail2Ban
|
||||||
|
*
|
||||||
|
* @version 1.0
|
||||||
|
* @author Snep <snep@diskcat.com>
|
||||||
|
* @license MIT
|
||||||
|
* @url https://git.diskcat.com/Resneptacle/roundcube-mailcow-dockerized-fail2ban
|
||||||
|
*
|
||||||
|
* Inspired by https://github.com/mattrude/rc-plugin-fail2ban
|
||||||
|
*/
|
||||||
|
|
||||||
|
|
||||||
|
class mailcow_f2b extends rcube_plugin {
|
||||||
|
|
||||||
|
function init () {
|
||||||
|
$this -> add_hook ('login_failed', [ $this, 'log_failed_attempt' ]);
|
||||||
|
}
|
||||||
|
|
||||||
|
function log_failed_attempt ($args) {
|
||||||
|
// Try to get Redis connection data from Roundcube config
|
||||||
|
$redis_host = rcmail::get_instance () -> config -> get ('mailcow_f2b_redis_host');
|
||||||
|
$redis_port = rcmail::get_instance () -> config -> get ('mailcow_f2b_redis_port');
|
||||||
|
|
||||||
|
// Use MailCow defaults for Redis connection if not set in Roundcube config
|
||||||
|
if (is_null ($redis_host)) $redis_host = "redis-mailcow";
|
||||||
|
if (is_null ($redis_port)) $redis_port = 6379;
|
||||||
|
|
||||||
|
$log_entry = "roundcube: failed login from {$_SERVER['REMOTE_ADDR']} for user {$args['user']}";
|
||||||
|
|
||||||
|
// Write log entry to PHP error log
|
||||||
|
error_log ("{$log_entry}\n");
|
||||||
|
|
||||||
|
// Open Redis connection
|
||||||
|
$redis = new Redis ();
|
||||||
|
try {
|
||||||
|
$redis -> connect ($redis_host, $redis_port);
|
||||||
|
} catch (Exception $e) {
|
||||||
|
error_log ("roundcube: failed to connect to redis database at {$redis_host}:{$redis_port} because " . $e -> getMessage () . "\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Write log entry to Redis DB
|
||||||
|
$redis -> publish ("F2B_CHANNEL", $log_entry);
|
||||||
|
|
||||||
|
// Close Redis connection
|
||||||
|
$redis -> close ();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in new issue