Bug#505267: roundcube: some form of log output on failed logins

Tue, 11 Nov 2008 01:58:55 -0800 

Package: roundcube
Version: 0.1.1-8
Severity: wishlist


Roundcube is awesome and I like it lots, but the lack of any log output 
or hooks of any kind makes it annoyingly vulnerable to brute force 
attacks. I added a little error output into the login page to dump an 
apache-style line to stderr so it can be easily picked up by firewalling 
programs like fail2ban (see included patch).

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages roundcube depends on:
ii  roundcube-core                0.1.1-8    skinnable AJAX based webmail solut
ii  roundcube-mysql [roundcube-db 0.1.1-8    metapackage providing MySQL depend

roundcube recommends no packages.

roundcube suggests no packages.

Versions of packages roundcube-core depends on:
ii  apache2                       2.2.9-10   Apache HTTP Server metapackage
ii  apache2-mpm-prefork [httpd]   2.2.9-10   Apache HTTP Server - traditional n
ii  dbconfig-common               1.8.39     common framework for packaging dat
ii  debconf [debconf-2.0]         1.5.22     Debian configuration management sy
ii  libmagic1                     4.26-1     File type determination library us
ii  php-auth                      1.6.1-1    PHP PEAR modules for creating an a
ii  php-db                        1.7.13-2   PHP PEAR Database Abstraction Laye
ii  php-mail-mime                 1.5.2-0.1  PHP PEAR module for creating MIME 
ii  php-net-smtp                  1.3.1-1    PHP PEAR module implementing SMTP 
ii  php-net-socket                1.0.8-2    PHP PEAR Network Socket Interface 
ii  php5                          5.2.6-5    server-side, HTML-embedded scripti
ii  php5-mcrypt                   5.2.6-5    MCrypt module for php5
ii  roundcube-mysql [roundcube-db 0.1.1-8    metapackage providing MySQL depend
ii  tinymce2                      2.1.3-1    platform independent web based Jav
ii  ucf                           3.0010     Update Configuration File: preserv

-- debconf information excluded

diff -Naur 0.1.1-8/index.php 0.1.1-8.slab/index.php
--- roundcube-0.1.1/index.php	2008-11-11 18:17:37.939438895 +0900
+++ roundcube-0.1.1-secured/index.php	2008-11-11 18:01:06.000000000 +0900
@@ -177,6 +177,9 @@
   else
   {
     $OUTPUT->show_message($IMAP->error_code == -1 ? 'imaperror' : 'loginfailed', 'warning');
+    if($IMAP->error_code != -1){
+      file_put_contents('php://stderr',"[".strftime("%c")."] [roundcube] [client ".$_SERVER['REMOTE_ADDR']."] failed login attempt.\n");
+    }
     rcmail_kill_session();
   }
 }

Reply via email to