reCaptcha plugin for RoundCube is a good way to protect your server against brute-force attacks on a Webmail. We will install it from the plugin's repository https://github.com/dsoares/rcguard.git. The addon was tested on CWP7.admin, CentOS Linux release 7.6.1810 (Core ) and RoundCube version 1.2.3 & also this addon tested with RoundCube version 1.3.8
Step 1: First install git on your server. If it's missing you can install it either from your OS repository with a package manager or from sources.
Install Git
# yum install git -y
Clone the plugin through git# cd /usr/local/cwpsrv/var/services/roundcube/plugins/
# git clone https://github.com/dsoares/rcguard.git rcguard
If you see an error you should read everything carefully and try to resolve it. Please feel free to contact us if anything goes wrong here.Change directory permission
# chown -R cwpsvc:cwpsvc rcguard/
Rename the config file# cd rcguard
# mv config.inc.php.dist config.inc.php
Add your reCaptcha keys
Go to https://www.google.com/recaptcha/intro/v3.html and get your keys.
N.B: It's important to mention, that Google will show reCaptcha only on domains which were registered at Google for these particular pair of keys. It means that you should either register all of your domains at Google if you want to access RoundCube on users' domains, or use one domain (or hostname) for all users and register one domain at Google.
Add/Register a new site :
Enter the server ip or hostname, domain you want to access the Roundcube or phpMyadmin with, then hit Register button, now you will see site key and secrect key copy this keys we’ll need this in next step 2 :
As soon as you get your keys you should add them into configuration file of the addon.
You can go to Advanced Settings >> Domain Name Validation >>> uncheck Verify the origin of reCAPTCHA solutions for wildcard permission
# vi config.inc.php
and update the following lines (From Line number 23) with your real public and private keys from Google :Remember Here :
Public key = Site key
Private key = Secret key
So it would look like the following:
For security reasons some symbols are masked here, in your case there should not be asterisks.
You can change other settings of the plugin per your needs.
For example this one (From Line number 7):
// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 5;
Can be changed to// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 1;
if you want reCaptcha to be shown after the first failed login (the default is 5), or It's better to change it to 0 (zero) to show the captcha always.Enable Log Events (From Line number 42)
// Log events
$rcmail_config['recaptcha_log'] = true;
You can disable Recaptcha for your Office/Home Network (From Line number 63)// Do not show recaptcha for this IPs
$rcmail_config['rcguard_ignore_ips'] = array( x.x.x.x );
// Do not show recaptcha of these networks
$rcmail_config['recaptcha_whitelist'] = array( x.x.x.x/x );
Create a new table in the Roundcube database.
Go to PHPMyAdmin, select the Roundcube database (roundcube), click the SQL tab and copy/paste the following code:CREATE TABLE `rcguard` (
`ip` VARCHAR(40) NOT NULL,
`first` DATETIME NOT NULL,
`last` DATETIME NOT NULL,
`hits` INT(10) NOT NULL,
PRIMARY KEY (`ip`),
INDEX `last_index` (`last`),
INDEX `hits_index` (`hits`)
) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;
Then, click "Go"Image for Reference:
Step 3: Add 'rcguard' into Roundcube's config file. Should be something like this:
# vi /usr/local/cwpsrv/var/services/roundcube/config/config.inc.php
...
$config['plugins'] = array(
'archive',
'zipdownload',
'managesieve',
'password',
'rcguard',
);
...
So it would look like the following (From Line number 79):That's all, now Roundcube's form login should look like this:
Browse:
http://domain-name/webmail/ or
https://server-fqdn:port/roundcube/
This post is based on this article.
Link 1
Link 2
Important Link
https://github.com/dsoares/roundcube-rcguard
Comments
Post a Comment
You are always welcome to comment here, but your remarks should be relevant to the conversation. To keep the exchanges focused and engaging, we reserve the right to remove off-topic comments, or self-promoting URLs and vacuous messages.
We will try to reply to your queries as soon as time allows.
Regards,
Admin