Skip to main content

Protect CWP RoundCube From Brute Force Attack with Google reCaptcha

reCaptcha plugin for RoundCube is a good way to protect your server against brute-force attacks on a Webmail. We will install it from the plugin's repository https://github.com/dsoares/rcguard.git. The addon was tested on CWP7.admin, CentOS Linux release 7.6.1810 (Core ) and RoundCube version 1.2.3 & also this addon tested with RoundCube version 1.3.8
Let's add the Google's reCaptcha into the RoundCube's login form on CWP.

Step 1: First install git on your server. If it's missing you can install it either from your OS repository with a package manager or from sources.
Install Git
# yum install git -y
Clone the plugin through git
# cd /usr/local/cwpsrv/var/services/roundcube/plugins/
# git clone https://github.com/dsoares/rcguard.git rcguard
If you see an error you should read everything carefully and try to resolve it. Please feel free to contact us if anything goes wrong here.
Change directory permission
# chown -R cwpsvc:cwpsvc rcguard/
Rename the config file
# cd rcguard
# mv config.inc.php.dist config.inc.php

Add your reCaptcha keys

Go to https://www.google.com/recaptcha/intro/v3.html and get your keys.
Google reCaptcha

N.B: It's important to mention, that Google will show reCaptcha only on domains which were registered at Google for these particular pair of keys. It means that you should either register all of your domains at Google if you want to access RoundCube on users' domains, or use one domain (or hostname) for all users and register one domain at Google.

Add/Register a new site :
Google reCaptcha Form

Google reCaptcha Form 1
Enter the server ip or hostname, domain you want to access the Roundcube or phpMyadmin with, then hit Register button, now you will see site key and secrect key copy this keys we’ll need this in next step 2 :
As soon as you get your keys you should add them into configuration file of the addon.
Google reCaptcha Site key & Secret key
You can go to Advanced Settings >> Domain Name Validation >>> uncheck Verify the origin of reCAPTCHA solutions for wildcard permission
Google reCaptcha Advance Option
Step 2: Open the config file of the plugin in an editor:
# vi config.inc.php
and update the following lines (From Line number 23) with your real public and private keys from Google :
Remember Here :
Public key = Site key
Private key = Secret key
code
So it would look like the following:
code
For security reasons some symbols are masked here, in your case there should not be asterisks.
You can change other settings of the plugin per your needs.
For example this one (From Line number 7):
// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 5;
Can be changed to
// Number of failed logins before reCAPTCHA is shown
$rcmail_config['failed_attempts'] = 1;
if you want reCaptcha to be shown after the first failed login (the default is 5), or It's better to change it to 0 (zero) to show the captcha always.

Enable Log Events (From Line number 42)
// Log events
$rcmail_config['recaptcha_log'] = true;
You can disable Recaptcha for your Office/Home Network (From Line number 63)
// Do not show recaptcha for this IPs
$rcmail_config['rcguard_ignore_ips'] = array( x.x.x.x );

// Do not show recaptcha of these networks
$rcmail_config['recaptcha_whitelist'] = array( x.x.x.x/x );

Create a new table in the Roundcube database.

Go to PHPMyAdmin, select the Roundcube database (roundcube), click the SQL tab and copy/paste the following code:
CREATE TABLE `rcguard` (
  `ip` VARCHAR(40) NOT NULL,
  `first` DATETIME NOT NULL,
  `last` DATETIME NOT NULL,
  `hits` INT(10) NOT NULL,
  PRIMARY KEY (`ip`),
  INDEX `last_index` (`last`),
  INDEX `hits_index` (`hits`)
) ENGINE = InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;
Then, click "Go"
Image for Reference:
database code
Step 3: Add 'rcguard' into Roundcube's config file. Should be something like this:
# vi /usr/local/cwpsrv/var/services/roundcube/config/config.inc.php
...
  $config['plugins'] = array(
     'archive',
     'zipdownload',
     'managesieve',
     'password',
     'rcguard',);
...
So it would look like the following (From Line number 79):
code

That's all, now Roundcube's form login should look like this:
Browse: 
http://domain-name/webmail/ or
https://server-fqdn:port/roundcube/
web login

This post is based on this article.
Link 1
Link 2

Important Link
https://github.com/dsoares/roundcube-rcguard

Comments