Fail2Ban Setup with RoundCube

In order for Fail2Ban to be able to ban IP addresses from computers trying to break into RoundCube. RoundCube needs to write the IP address of the offending system in it’s logs. To accomplish this, run the following patch from the root of your RoundCube directory, or modify the program/lib/imap.inc file directly.

program/lib/imap.inc

Index: program/lib/imap.inc
============================================================
--- program/lib/imap.inc        (revision 2446)
+++ program/lib/imap.inc        (working copy)
@@ -428,7 +428,7 @@
<br />
if ($result == -3) fclose($conn->fp); // BYE response
<br />
-    $conn->error    .= 'Authentication for ' . $user . ' failed (AUTH): "';
+    $conn->error    .= 'Authentication for ' . $user . ' (' . getenv("REMOTE_ADDR") . ') failed (AUTH): "';
$conn->error    .= htmlspecialchars($line) . '"';
$conn->errorNum  = $result;

Once you have RoundCube patched, you may use the below config and filter in Fail2Ban to block the IP address from RoundCube’s logs.

/etc/fail2ban/jail.conf:

[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
action   = iptables-multiport[name=roundcube, port="http,https"]
logpath  = /var/logs/httpd/errors

/etc/fail2ban/filter.d/roundcube.conf:

[Definition]
failregex = IMAP Error: Authentication for .* (<HOST≶) failed ((?:LOGIN|AUTH)):
ignoreregex =