Skip to main content

Protect CWP RoundCube From Brute Force Attack with Google reCaptcha

reCaptcha plugin for RoundCube is a good way to protect your server against brute-force attacks on a Webmail. We will install it from the plugin's repository https://github.com/dsoares/rcguard.git. The addon was tested on CWP7.admin, CentOS Linux release 7.6.1810 (Core ) and RoundCube version 1.2.3 & also this addon tested with RoundCube version 1.3.8
Let's add the Google's reCaptcha into the RoundCube's login form on CWP.

Step 1: First install git on your server. If it's missing you can install it either from your OS repository with a package manager or from sources.
Install Git
# yum install git -y
Clone the plugin through git
# cd /usr/local/cwpsrv/var/services/roundcube/plugins/
# git clone https://github.com/dsoares/rcguard.git rcguard
If you see an error you should read everything carefully and try to resolve it. Please feel free to contact us if anything goes wrong here.
Change directory permission
# chown -R cwpsvc:cwpsvc rcguard/
Rename the config file
# cd rcguard
# mv config.inc.php.dist config.inc.php

Add your reCaptcha keys

Go to https://www.google.com/recaptcha/intro/v3.html and get your keys.
Google reCaptcha

N.B: It's important to mention, that Google will show reCaptcha only on domains which were registered at Google for these particular pair of keys. It means that you should either register all of your domains at Google if you want to access RoundCube on users' domains, or use one domain (or hostname) for all users and register one domain at Google.

Add/Register a new site :
Google reCaptcha Form

Google reCaptcha Form 1
Enter the server ip or hostname, domain you want to access the Roundcube or phpMyadmin with, then hit Register button, now you will see site key and secrect key copy this keys we’ll need this in next step 2 :
As soon as you get your keys you should add them into configuration file of the addon.
Google reCaptcha Site key & Secret key
You can go to Advanced Settings >> Domain Name Validation >>> uncheck Verify the origin of reCAPTCHA solutions for wildcard permission
Google reCaptcha Advance Option
Step 2: Open the config file of the plugin in an editor:
# vi config.inc.php
and update the following lines (From Line number 23) with your real public and private keys from Google :
Remember Here :
Public key = Site key
Private key = Secret key
code
So it would look like the following:
code
For security reasons some symbols are masked here, in your case there should not be asterisks.
You can change other settings of the plugin per your needs.
For example this one (From Line number 7):
// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 5;
Can be changed to
// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 1;
if you want reCaptcha to be shown after the first failed login (the default is 5), or It's better to change it to 0 (zero) to show the captcha always.

Enable Log Events (From Line number 42)
// Log events
$rcmail_config['recaptcha_log'] = true;
You can disable Recaptcha for your Office/Home Network (From Line number 63)
// Do not show recaptcha for this IPs
$rcmail_config['rcguard_ignore_ips'] = array( x.x.x.x );

// Do not show recaptcha of these networks
$rcmail_config['recaptcha_whitelist'] = array( x.x.x.x/x );

Create a new table in the Roundcube database.

Go to PHPMyAdmin, select the Roundcube database (roundcube), click the SQL tab and copy/paste the following code:
CREATE TABLE `rcguard` (
  `ip` VARCHAR(40) NOT NULL,
  `first` DATETIME NOT NULL,
  `last` DATETIME NOT NULL,
  `hits` INT(10) NOT NULL,
  PRIMARY KEY (`ip`),
  INDEX `last_index` (`last`),
  INDEX `hits_index` (`hits`)
) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;
Then, click "Go"
Image for Reference:
database code
Step 3: Add 'rcguard' into Roundcube's config file. Should be something like this:
# vi /usr/local/cwpsrv/var/services/roundcube/config/config.inc.php
...
  $config['plugins'] = array(
     'archive',
     'zipdownload',
     'managesieve',
     'password',
     'rcguard',);
...
So it would look like the following (From Line number 79):
code

That's all, now Roundcube's form login should look like this:
Browse: 
http://domain-name/webmail/ or
https://server-fqdn:port/roundcube/
web login

This post is based on this article.
Link 1
Link 2

Important Link
https://github.com/dsoares/roundcube-rcguard

Comments

Most Popular

CWP DNS Part 1 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

After hosting my parent domain on CWP7.admin, I am getting dns error and i'm not able access my server using my server FQDN but i can access using my server IP.
So what can i do for that problem ?

Yes, you have to fix the error .

Environment Details:
Distro Name: CentOS Linux release 7.6.1810 (Core)
CentOS-Web Panel version: CWP7.admin
CWP version: 0.9.8.757
WebServer: Apache Only
FQDN: host.datahead.biz
IP: 192.120.10.3

1.Change Hostname Permanently:
# hostnamectl set-hostname host.datahead.biz# hostnamectl Static hostname: host.datahead.biz Icon name: computer-vm Chassis: vm Machine ID: 7400071490ea4f7d931374824ad4b52c Boot ID: 6e1f2d76495d4b318c25c4a1195aa130 Virtualization: vmware Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-862.14.4.el7.x86_64 Architecture: x86-64 It also writes this information to the /etc/hostname file as well.
# cat /etc/hostname host.d…

CWP: How to Configure Let's Encrypt SSL Certificate for your server Hostname/FQDN on CWP7.admin

I wrote a blog on http://forum.centos-webpanel.com regarding Let's Encrypt SSL Certificate for CentOS Web Panel when "Letsencrypt Manager"  option was exist under Apache Settings >> Letsencrypt Manager >> Install Letsencrypt .

At Present CWP Team has been removed "Letsencrypt Manager"  that's why it will not renew any cert automatic . They made Auto SSL by default but Auto SSL grade is B and I'm not satisfied with Auto SSL.

Previous Article Link Install Letsencrypt SSL Certificate for your Server Hostname/FQDN, 100% Working 

N.B: I am using the below cipherlist 
https://cipherli.st/
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://wiki.mozilla.org/Security/Server_Side_TLS

So now I am writing this solution again for all of guys and I hope that it will be 100% working again on your CentOS-Webpanel as mine .

Environment Details:
CPU Model: Intel(R) Xeon(R) CPU X3440 @ 2.53GHz
CPU Details: 2 Core (2527 MHz)
Distro Name: Ce…