fail2ban jail for OMV GUI login?

    • OMV 2.x
    • Resolved
    • fail2ban jail for OMV GUI login?

      Has anyone configured a jail for login failures for the main OMV GUI? I see the failure attempts appear in the auth.log, but no jails are configured to look for these by default.

      Also, separate question. eXtplorer doesn't have a log that I can find. I'm assuming this means it would be impossible to for it to be used with fail2ban?
    • I think that filter is not correct.

      Try
      Filter: nginx

      or

      Filter: nginx-http-auth

      OMV 4.1.11 x64 on a HP T510, 16GB CF as Boot Disk & 32GB SSD 2,5" disk for Data, 4 GB RAM, CPU VIA EDEN X2 U4200 is x64 at 1GHz

      Post: HPT510 SlimNAS ; HOWTO Install Pi-Hole ; HOWTO install MLDonkey ; HOHTO Install ZFS-Plugin ; OMV_OldGUI ; ShellinaBOX ; ctop
      Dockers: MLDonkey ; PiHole ; weTTY
      Videos: @TechnoDadLife

      The post was edited 2 times, last by raulfg3 ().

    • @Reed
      >Has anyone configured a jail for login failures for the main OMV GUI?
      No, OMV already has its own system (pam /etc/pam.d/openmediavault-webgui)

      >I see the failure attempts appear in the auth.log, but no jails are configured to look for these by default.
      I think you need to add pam jails (but it is not needed)

      [pam-generic]
      enabled = true
      filter = pam-generic
      port = all
      banaction = iptables-allports
      port = anyport
      logpath = /var/log/auth.log
      maxretry = 6

      >Also, separate question. eXtplorer doesn't have a log that I can find. I'm assuming this means it would be impossible to for it to be used with fail2ban?
      There are no log (i don't found it) and it's not possible to be used with fail2ban.

      No log, no fail2ban
      Open Media Vault 2.2.6 (Stone burner) in Prod
      Open Media Vault 3.0.32 (Erasmus) in Test

      openmedivault Docker Container
      https://github.com/prbond/openmedivault-dockerfile

      Dev :
      openmediavault-fail2ban 1.1.5 for OMV2.X
      openmediavault-fail2ban 1.3.0 for OMV3.X
      https://github.com/prbond/openmediavault-fail2ban
      https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-fail2ban
    • Okay, I have the solution.

      pr_bond: Enabling pam-generic I think is a good idea in general, it will catch anything that uses PAM (including SSH), however it doesn't catch the openmediavault-webgui failed login attempts.

      To make sure I wasn't replicating an existing filter, I did a search for its key items in all the filters in "/etc/fail2ban/filter.d" before creating a new one.

      New: omv-gui.conf

      Source Code

      1. #
      2. # Catch openmediavault-webgui Unauthorized logins
      3. #
      4. [Definition]
      5. failregex = .*\s+openmediavault-webgui\[\d+\]:\s+Unauthorized login attempt from\s+::[^:]+:<HOST>\s+.*
      6. ignoreregex =


      Settings in the GUI:
      Name: omv-webgui
      Port(s): http, https
      Filter: omv-gui
      Log Path: /var/log/auth.log

      I confirmed this works by failing logins and getting myself banned:

      Source Code

      1. root@openmediavault:/etc/fail2ban/filter.d# fail2ban-client status omv-webgui
      2. Status for the jail: omv-webgui
      3. |- filter
      4. | |- File list: /var/log/auth.log
      5. | |- Currently failed: 0
      6. | `- Total failed: 5
      7. `- action
      8. |- Currently banned: 1
      9. | `- IP list: 192.168.1.11
      10. `- Total banned: 1
    • There's a few items of feedback I'd give to the plugin owner:

      - Suggest to add pam-generic to the pre-defined jails list.

      - Suggest to add omv-gui to the pre-defined jails list.

      - Suggest both pam-generic and omv-gui are enabled by default when fail2ban is enabled.
      - Explanation: As a new user, I was expecting some basic protection when I installed the plugin and enabled it on the main tab. I was actually surprised when I later discovered I hadn't enabled any protection because I hadn't enabled the specific jails. It can give a false sense of protection if the user is inexperienced and fail2ban is enabled but no jails are enabled.

      - Suggest not allowing a jail to be enabled if the corresponding log file doesn't exist.
      - Explanation: As a new user, when I realized I hadn't enabled any protection I enabled all the jails and consequently fail2ban then failed to start. It seems fail2ban takes issue when you tell it to enable a jail and the log file doesn't exist for that jail.

      Anyway, take it or leave it, these are the suggestions/impressions from a fresh set of eyes. But I think it would improve the user experience.
    • Add to todo list ...
      Open Media Vault 2.2.6 (Stone burner) in Prod
      Open Media Vault 3.0.32 (Erasmus) in Test

      openmedivault Docker Container
      https://github.com/prbond/openmedivault-dockerfile

      Dev :
      openmediavault-fail2ban 1.1.5 for OMV2.X
      openmediavault-fail2ban 1.3.0 for OMV3.X
      https://github.com/prbond/openmediavault-fail2ban
      https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-fail2ban
    • Thanks, i will update the plugin.
      Open Media Vault 2.2.6 (Stone burner) in Prod
      Open Media Vault 3.0.32 (Erasmus) in Test

      openmedivault Docker Container
      https://github.com/prbond/openmedivault-dockerfile

      Dev :
      openmediavault-fail2ban 1.1.5 for OMV2.X
      openmediavault-fail2ban 1.3.0 for OMV3.X
      https://github.com/prbond/openmediavault-fail2ban
      https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-fail2ban
    • @g2_ufo

      Could you check that -> forum.openmediavault.org/index…rved-by-NGINX-Proxy-Pass/

      @happyreacer
      I do it yesterday

      For all

      A merge request is push to the repos !!!

      Change it's soon.
      Open Media Vault 2.2.6 (Stone burner) in Prod
      Open Media Vault 3.0.32 (Erasmus) in Test

      openmedivault Docker Container
      https://github.com/prbond/openmedivault-dockerfile

      Dev :
      openmediavault-fail2ban 1.1.5 for OMV2.X
      openmediavault-fail2ban 1.3.0 for OMV3.X
      https://github.com/prbond/openmediavault-fail2ban
      https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-fail2ban
    • EruIluvatar wrote:

      I don't see an option for omv-webgui in the Jails tab of the plugin.
      Also no config file in /etc/fail2ban/filter.d


      @pr_bond: what's the status of this? Or better: what's the recommended way to get fail2ban for the webgui?
      The filter exist but i dont know why the jail isnt avalible

      Gesendet von meinem LENNY2 mit Tapatalk
      omv 4.x | 64 bit | omvextrasorg 4.x | kernel 4.15
      used plugins: nginx | mysql | docker-gui |rsnapshot | antivirus | apt tool | letsEncrypt |
      used other: netxtcloud | logitechmediaserver | emby