Skip to main content

Protect CWP RoundCube From Brute Force Attack with Google reCaptcha

reCaptcha plugin for RoundCube is a good way to protect your server against brute-force attacks on a Webmail. We will install it from the plugin's repository The addon was tested on CWP7.admin, CentOS Linux release 7.6.1810 (Core ) and RoundCube version 1.2.3 & also this addon tested with RoundCube version 1.3.8
Let's add the Google's reCaptcha into the RoundCube's login form on CWP.

Step 1: First install git on your server. If it's missing you can install it either from your OS repository with a package manager or from sources.
Install Git
# yum install git -y
Clone the plugin through git
# cd /usr/local/cwpsrv/var/services/roundcube/plugins/
# git clone rcguard
If you see an error you should read everything carefully and try to resolve it. Please feel free to contact us if anything goes wrong here.
Change directory permission
# chown -R cwpsvc:cwpsvc rcguard/
Rename the config file
# cd rcguard
# mv

Add your reCaptcha keys

Go to and get your keys.
Google reCaptcha

N.B: It's important to mention, that Google will show reCaptcha only on domains which were registered at Google for these particular pair of keys. It means that you should either register all of your domains at Google if you want to access RoundCube on users' domains, or use one domain (or hostname) for all users and register one domain at Google.

Add/Register a new site :
Google reCaptcha Form

Google reCaptcha Form 1
Enter the server ip or hostname, domain you want to access the Roundcube or phpMyadmin with, then hit Register button, now you will see site key and secrect key copy this keys we’ll need this in next step 2 :
As soon as you get your keys you should add them into configuration file of the addon.
Google reCaptcha Site key & Secret key
You can go to Advanced Settings >> Domain Name Validation >>> uncheck Verify the origin of reCAPTCHA solutions for wildcard permission
Google reCaptcha Advance Option
Step 2: Open the config file of the plugin in an editor:
# vi
and update the following lines (From Line number 23) with your real public and private keys from Google :
Remember Here :
Public key = Site key
Private key = Secret key
So it would look like the following:
For security reasons some symbols are masked here, in your case there should not be asterisks.
You can change other settings of the plugin per your needs.
For example this one (From Line number 7):
// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 5;
Can be changed to
// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 1;
if you want reCaptcha to be shown after the first failed login (the default is 5), or It's better to change it to 0 (zero) to show the captcha always.

Enable Log Events (From Line number 42)
// Log events
$rcmail_config['recaptcha_log'] = true;
You can disable Recaptcha for your Office/Home Network (From Line number 63)
// Do not show recaptcha for this IPs
$rcmail_config['rcguard_ignore_ips'] = array( x.x.x.x );

// Do not show recaptcha of these networks
$rcmail_config['recaptcha_whitelist'] = array( x.x.x.x/x );

Create a new table in the Roundcube database.

Go to PHPMyAdmin, select the Roundcube database (roundcube), click the SQL tab and copy/paste the following code:
CREATE TABLE `rcguard` (
  `ip` VARCHAR(40) NOT NULL,
  `hits` INT(10) NOT NULL,
  PRIMARY KEY (`ip`),
  INDEX `last_index` (`last`),
  INDEX `hits_index` (`hits`)
) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;
Then, click "Go"
Image for Reference:
database code
Step 3: Add 'rcguard' into Roundcube's config file. Should be something like this:
# vi /usr/local/cwpsrv/var/services/roundcube/config/
  $config['plugins'] = array(
So it would look like the following (From Line number 79):

That's all, now Roundcube's form login should look like this:
http://domain-name/webmail/ or
web login

This post is based on this article.
Link 1
Link 2

Important Link


Most Popular

CWP DNS Part 1 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

After hosting my parent domain on CWP7.admin, I am getting dns error and i'm not able access my server using my server FQDN but i can access using my server IP.
So what can i do for that problem ?

Yes, you have to fix the error .

Environment Details:
Distro Name: CentOS Linux release 7.6.1810 (Core)
CentOS-Web Panel version: CWP7.admin
CWP version:
WebServer: Apache Only

1.Change Hostname Permanently:
# hostnamectl set-hostname hostnamectl Static hostname: Icon name: computer-vm Chassis: vm Machine ID: 7400071490ea4f7d931374824ad4b52c Boot ID: 6e1f2d76495d4b318c25c4a1195aa130 Virtualization: vmware Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-862.14.4.el7.x86_64 Architecture: x86-64 It also writes this information to the /etc/hostname file as well.
# cat /etc/hostname host.d…

CWP DNS Part 2 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

7.Open Main Configuration file
# vi /etc/named.conf 12 options { 13 listen-on port 53 { any; }; 14 listen-on-v6 port 53 { ::1; }; 15 directory "/var/named"; 16 dump-file "/var/named/data/cache_dump.db"; 17 statistics-file "/var/named/data/named_stats.txt"; 18 memstatistics-file "/var/named/data/named_mem_stats.txt"; 19 recursing-file "/var/named/data/named.recursing"; 20 secroots-file "/var/named/data/named.secroots"; 21 allow-query { any; }; 33 recursion no; 34 35 dnssec-enable yes; 36 dnssec-validation yes; 54 zone "." IN { 55 type hint; 56 file ""; 57 }; 58 59 include "/etc/named.rfc1912.zones"; 60 include "/etc/named.root.key"; 61 …