[Pkg-roundcube-maintainers] Bug#505267: roundcube: some form of log output on failed logins
Vincent Bernat
bernat at debian.org
Sun Feb 15 17:08:05 UTC 2009
OoO En cette matinée pluvieuse du mardi 11 novembre 2008, vers 10:53,
Kris Popendorf <krisp at dna.bio.keio.ac.jp> disait :
> Roundcube is awesome and I like it lots, but the lack of any log output
> or hooks of any kind makes it annoyingly vulnerable to brute force
> attacks. I added a little error output into the login page to dump an
> apache-style line to stderr so it can be easily picked up by firewalling
> programs like fail2ban (see included patch).
Thanks for the patch. I have adapted it for roundcube
0.2-stable. However, with Apache, I don't see anything either in
/var/log/apache2/error.log or in /var/log/roundcube/errors. Where should
the line appear?
If this only work with PHP as CGI or FCGI, it would be better to output
this line in /var/log/roundcube/errors. Moreover, you should modify
imap.inc instead. For example, the following line:
$conn->error .= 'Authentication for ' . $user . ' failed (LOGIN): "';
Thanks.
--
panic("bad_user_access_length executed (not cool, dude)");
2.0.38 /usr/src/linux/kernel/panic.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20090215/9e99c4c8/attachment.pgp
More information about the Pkg-roundcube-maintainers
mailing list