This feature is available with Artica version 1.4.111416
If you are under this release you need to upgrade your Artica version.
If this version is not released use the How to upgrade Artica to a nightly build ?
With this feature you will be able to automatically block remote computer if failed attempts exceed a limit during a specific period in minutes.
This feature is automatically enabled with 6 Max attempts in 10mn period. If you upgrade to this new version... nothing to do .
To tweak this feature :
- On the left menu, select Messaging/WebMail system
- Choose settings tab
- Click on "Anti-Hacks" icon.
The first tab define parameters of the engine. You can enable or disable the feature and define limits for create the Firwall rule.
Using the second tab will show you IP addresses blocked by the engine.
You can delete or disable IP addresses if there are false alarms.
There is a difference between delete the IP and disable the IP :
- Delete the IP : If the remote client exceed attempts, it will be blocked next time.
- Disable the IP: if the remote client exceed attemps, it will be white listed and never be blocked.
Technicals informations :
"Artica sysloger" daemon is in charge to parse in relatime the syslog event (in this case, roundcube events has been turned to syslog mode).
When discover failed attempts, it calculate the number of attempts and put blocked ip addresses into the "/etc/artica-postfix/settings/Daemons/RoundCubeHackConfig" database file.
When updating this database, it send to the administrator a notification and execute
exec.roundcube.php --hacks
exec.roundcube.php with --hacks token is in charge to create iptables rules according ports sets in the Artica configuration file.
It analyze if the remote client came from a roundcube instance or the master instance.
optionals commands
Restart "Artica sysloger" service
/etc/init.d/artica-postfix restart sysloger
Follow "Artica sysloger" process:
tail -f /var/log/artica-postfix/syslogger.debug |grep ROUNDCUBE
Run exec.roundcube.php in debug
php5 /usr/share/artica-postfix/exec.roundcube.php --hacks --verbose
Remove all ipTables entries according Anti-hack for RoundCube:
rm -f /etc/artica-postfix/settings/Daemons/RoundCubeHackConfig
php5 /usr/share/artica-postfix/exec.roundcube.php --hacks --verbose
