Debian Stretch - roundcube-auth doesnt ban failed logins from IP. It seems like fileregex doesnt match logged failed logins.
faile logins in /var/log/mail.log from roundcube is like
Mar 30 16:15:31 debian roundcube[13209]: <ppt6hqpa> IMAP Error: Login failed for [email protected] against localhost from 255.255.255.255. LOGIN: Login failed. in /var/www/html/roundcube/program/lib/Roundcube/rcube_imap.php on line 200 (POST /roundcube/?_task=login&_action=login)
Mar 30 16:15:32 debian roundcube[13209]: <ppt6hqpa> Failed login for [email protected] from 255.255.255.255 in session ppt6hqpajq3nup5v (error: 0)
fail2ban - roundcube-auth.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from <HOST> in session \w+( \(error: \d\))?$
fail2ban - jail.conf
[roundcube-auth]
port = http,https
#logpath = %(roundcube_errors_log)s
logpath = /var/log/mail.log
enabled = true
maxretry = 2
bantime = 3600
fail2ban-client status
fail2ban-client status
Status
|- Number of jail: 9
`- Jail list: apache-badbots, courier-auth, postfix, postfix-ispmail, postfix-sasl, proftpd, roundcube-auth, squirrelmail, sshd
fail2ban-client status roundcube-auth
Status for the jail: roundcube-auth
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/mail.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
