OoO En cette matinée pluvieuse du mardi 11 novembre 2008, vers 10:53, Kris Popendorf <[email protected]> disait :
> Roundcube is awesome and I like it lots, but the lack of any log output
> or hooks of any kind makes it annoyingly vulnerable to brute force
> attacks. I added a little error output into the login page to dump an
> apache-style line to stderr so it can be easily picked up by firewalling
> programs like fail2ban (see included patch).
Thanks for the patch. I have adapted it for roundcube
0.2-stable. However, with Apache, I don't see anything either in
/var/log/apache2/error.log or in /var/log/roundcube/errors. Where should
the line appear?
If this only work with PHP as CGI or FCGI, it would be better to output
this line in /var/log/roundcube/errors. Moreover, you should modify
imap.inc instead. For example, the following line:
$conn->error .= 'Authentication for ' . $user . ' failed (LOGIN): "';
Thanks.
--
panic("bad_user_access_length executed (not cool, dude)");
2.0.38 /usr/src/linux/kernel/panic.c
pgphWB3oZcTPn.pgp
Description: PGP signature
