[Pkg-roundcube-maintainers] Bug#505267: roundcube: some form of log output on failed logins

Vincent Bernat bernat at debian.org
Sun Feb 15 17:08:05 UTC 2009

OoO En  cette matinée pluvieuse du  mardi 11 novembre  2008, vers 10:53,
Kris Popendorf <krisp at dna.bio.keio.ac.jp> disait :

> Roundcube is awesome and I like it lots, but the lack of any log output 
> or hooks of any kind makes it annoyingly vulnerable to brute force 
> attacks. I added a little error output into the login page to dump an 
> apache-style line to stderr so it can be easily picked up by firewalling 
> programs like fail2ban (see included patch).

Thanks   for   the   patch.    I   have   adapted   it   for   roundcube
0.2-stable.  However,  with  Apache,  I  don't see  anything  either  in
/var/log/apache2/error.log or in /var/log/roundcube/errors. Where should
the line appear?

If this only work with PHP as  CGI or FCGI, it would be better to output
this  line  in /var/log/roundcube/errors.  Moreover,  you should  modify
imap.inc instead. For example, the following line:
    $conn->error    .= 'Authentication for ' . $user . ' failed (LOGIN): "';

panic("bad_user_access_length executed (not cool, dude)");
        2.0.38 /usr/src/linux/kernel/panic.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20090215/9e99c4c8/attachment.pgp 

More information about the Pkg-roundcube-maintainers mailing list