openmediavault-fail2ban first version now available for testing

tinh_x7 · 24. Juli 2015

@pr_bond,

Thanks for the notes.
Do I need to change the ban time for both files or one is enough?

pr_bond · 27. Juli 2015

@tinh_x7

I don't know, test one file, if it doesn't work test the other file ...

tinh_x7 · 8. August 2015

I don't why my Fail2Ban is keep ban my subnet router ip.
Everything is working though.

Code

Status
|- Number of jail:    5
`- Jail list:        nginx-404, owncloud, apache-noscript, ssh, proftp


Status for the jail: nginx-404
|- filter
|  |- File list:    /var/log/nginx/access.log /var/log/nginx/openmediavault-webgui_access.log /var/log/nginx/6d535d5a-81ad-401e-aa01-eb0723e5f168-access.log
|  |- Currently failed:    0
|  `- Total failed:    24
`- action
   |- Currently banned:    1
   |  `- IP list:    192.168.1.3
   `- Total banned:    2

Alles anzeigen

pr_bond · 8. August 2015

Because i think Fai2ban see in log files "/var/log/nginx/access.log /var/log/nginx/openmediavault-webgui_access.log /var/log/nginx/6d535d5a-81ad-401e-aa01-eb0723e5f168-access.log" fail auth from 192.168.1.3
This is for test ?
Inspect your files and delete the line or add 192.168.1.3 to IgnoreIp

To unban :
root:/# fail2ban-client get nginx-404 actionunban 192.168.1.3

tinh_x7 · 8. August 2015

I did add 192.168.1.3 to 'ignoreip', but error still persist.
There is no incorrect multiple login attempts.

Code

Hi,


The IP 192.168.1.3 has just been banned by Fail2Ban after
4 attempts against nginx-404.

pr_bond · 8. August 2015

restart the service

root:/# service fail2ban restart

or

root:/# fail2ban-client stop
root:/# fail2ban-client start

or
root:/# fail2ban-client reload

Now, it's good ?

tinh_x7 · 8. August 2015

I used these commands, clear the log, restart OMV, still same error:

fail2ban-client get nginx-404 actionunban 192.168.1.3
fail2ban-client stop
fail2ban-client start

Code

tatus
|- Number of jail:    5
`- Jail list:        nginx-404, owncloud, apache-noscript, ssh, proftp


Status for the jail: nginx-404
|- filter
|  |- File list:    /var/log/nginx/access.log /var/log/nginx/openmediavault-webgui_access.log /var/log/nginx/6d535d5a-81ad-401e-aa01-eb0723e5f168-access.log
|  |- Currently failed:    0
|  `- Total failed:    24
`- action
   |- Currently banned:    1
   |  `- IP list:    192.168.1.3
   `- Total banned:    1

Alles anzeigen

Code

Hi,


The IP 192.168.1.3 has just been banned by Fail2Ban after
16 attempts against nginx-404.


Here are more information about 192.168.1.3:


Lines containing IP:192.168.1.3 in /var/log/nginx*/*access*.log


var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - 
[08/Aug/2015:12:57:51 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:57:56 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:01 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:06 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:11 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:16 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:21 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:24 -0400] "GET 
/extjs/packages/ext-theme-gray/resources/images/sizer/sw-handle.gif 
HTTP/1.1" 200 116 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:25 -0400] "GET 
/extjs/packages/ext-theme-gray/resources/images/sizer/se-handle.gif 
HTTP/1.1" 200 114 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:25 -0400] "GET 
/extjs/packages/ext-theme-gray/resources/images/sizer/nw-handle.gif 
HTTP/1.1" 200 114 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:25 -0400] "GET 
/extjs/packages/ext-theme-gray/resources/images/sizer/s-handle.gif 
HTTP/1.1" 200 494 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:25 -0400] "GET 
/extjs/packages/ext-theme-gray/resources/images/sizer/ne-handle.gif 
HTTP/1.1" 200 128 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:25 -0400] "GET 
/extjs/packages/ext-theme-gray/resources/images/sizer/e-handle.gif 
HTTP/1.1" 200 753 "https://192.168.1.97:8443/extjs

Alles anzeigen

tinh_x7 · 8. August 2015

EDIT: I add my customized port to nginix-404 jail, then the autoban is stop.
i.e. http,https,[customized port]

Code

Status
|- Number of jail:    5
`- Jail list:        nginx-404, owncloud, apache-noscript, ssh, proftp


Status for the jail: nginx-404
|- filter
|  |- File list:    /var/log/nginx/access.log /var/log/nginx/openmediavault-webgui_access.log /var/log/nginx/6d535d5a-81ad-401e-aa01-eb0723e5f168-access.log
|  |- Currently failed:    0
|  `- Total failed:    24
`- action
   |- Currently banned:    1
   |  `- IP list:    192.168.1.3
   `- Total banned:    1

Alles anzeigen

Code

Hi,


The IP 192.168.1.3 has just been banned by Fail2Ban after
16 attempts against nginx-404.


Here are more information about 192.168.1.3:


Lines containing IP:192.168.1.3 in /var/log/nginx*/*access*.log


/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:57:51 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:57:56 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:01 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:06 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:11 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:16 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:21 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:24 -0400] "GET 
/extjs/packages/ext-theme-gray/resources/images/sizer/sw-handle.gif 
HTTP/1.1" 200 116 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:25 -0400] "GET 
/extjs/packages/ext-theme-gray/resources/images/sizer/se-handle.gif 
HTTP/1.1" 200 114 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:25 -0400] "GET 
/extjs/packages/ext-theme-gray/resources/images/sizer/nw-handle.gif 
HTTP/1.1" 200 114 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:25 -0400] "GET 
/extjs/packages/ext-theme-gray/resources/images/sizer/s-handle.gif 
HTTP/1.1" 200 494 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:25 -0400] "GET 
/extjs/packages/ext-theme-gray/resources/images/sizer/ne-handle.gif 
HTTP/1.1" 200 128 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"
/var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3
 - - [08/Aug/2015:12:58:25 -0400] "GET 
/extjs/packages/ext-theme-gray/resources/images/sizer/e-handle.gif 
HTTP/1.1" 200 753 "https://192.168.1.97:8443/extjs

Alles anzeigen

Bambuleee · 9. September 2015

Is it possible to unban IPs?

tinh_x7 · 9. September 2015

Add it to your Fail2Ban exception list in OMV web gui & clear out your log.

Bambuleee · 14. September 2015

Thanks!

It is possible to cinfigure fail2ban, that I only get an email at actually an IP is banned and not when server is started (I get mails like "The jail nginx-404 has been started successfully.")

pr_bond · 14. September 2015

@Bambuleee
> Is it possible to unban IPs?
Yes manualy like : iptables -D fail2ban-XXXX -s IP -j DROP
Change XXX and IP
You need to clean your log file, if you don't want to be reban ...

To see iptables rules :
iptables -L -n

>It is possible to cinfigure fail2ban, that I only get an email at actually an IP is banned and not when server is started (I get mails like "The jail nginx-404 has been started successfully.")
"server" is started in same time as your host, and when your host run a lot of time, you don't receice email server is started beacause it is ever started ....

You can check your inbox mail where you restart fail2ban service :
Root# service fail2ban restart

akong · 7. Oktober 2015

I install fail2ban 1.1.4
I got error message when I click "Service" - "Fail2ban"

Zitat

錯誤 #4000:
exception 'OMVException' with message 'Failed to execute command 'fail2ban-client status 2>&1': ERROR Unable to contact server. Is it running?' in /usr/share/openmediavault/engined/rpc/fail2ban.inc:368
Stack trace:
#0 [internal function]: OMVRpcServiceFail2ban->getStats(NULL, Array)
#1 /usr/share/php/openmediavault/rpcservice.inc(125): call_user_func_array(Array, Array)
#2 /usr/share/php/openmediavault/rpc.inc(79): OMVRpcServiceAbstract->callMethod('getStats', NULL, Array)
#3 /usr/sbin/omv-engined(500): OMVRpc::exec('Fail2Ban', 'getStats', NULL, Array, 1)
#4 {main}

Alles anzeigen

And Fail2Ban show red cycle in Service tab.
I must use "/etc/init.d/fail2ban restart" command to restart fail2ban.

jkaberg · 6. Dezember 2015

When enabled I get the following error from daily cronjob,

Code

/etc/cron.daily/logrotate:error: error running non-shared postrotate script for /var/log/fail2ban.log of '/var/log/fail2ban.log 'run-parts: /etc/cron.daily/logrotate exited with return code 1

The fail2ban plugin is enabled but obviously not running, does the plugin actually start the service? (solved this by starting the service manually)

Reed · 27. Dezember 2015

Zitat von Bambuleee

It is possible to cinfigure fail2ban, that I only get an email at actually an IP is banned and not when server is started (I get mails like "The jail nginx-404 has been started successfully.")

I've reduced the e-mails I get by editing these files:
/etc/fail2ban/action.d/sendmail.conf
/etc/fail2ban/action.d/sendmail-buffered.conf
/etc/fail2ban/action.d/sendmail-whois.conf
/etc/fail2ban/action.d/sendmail-whois-lines.conf

raulfg3 · 30. Dezember 2015

Do not start service when apply save button on setting tab ( do not appear the apply warning), but start when change anything on jails tab and push the save button (in this case appears the apply warning).

Perhaps some bug in latest OMV ( see my spec. on my signature).

cypour · 17. Januar 2016

Trying to create a subsonic jail but it doesn't seem to work...
can someone give a tip?

Thanx

marc_al · 20. Januar 2016

Hello,

There is no plugin for OpenVPN.

I have added one but there is no protocol option in the GUI so I have to edit the fail2ban file manually.

1) Create a file

/etc/fail2ban/filter.d/openvpn.conf

[Definition]

failregex = <HOST>:\d{1,5} TLS Auth Error
<HOST>:\d{1,5} VERIFY ERROR:
<HOST>:\d{1,5} TLS Error: TLS handshake failed
<HOST>:\d{1,5} [ECONNREFUSED]: Connection refused

I have added the rule "<HOST>:\d{1,5} [ECONNREFUSED]: Connection refused" to what I saw on Internet because on my tests with a wrong key I had that error.
2) Edit the file

/etc/fail2ban/jail.conf

The line protocol = udp is not there. When it is not there the rule doesn't work.

I have to add the line manually (Only the field is missing when I configure a jail). I have taken the port 1294 instead of 1194

[OpenVPN]
enabled = yes
protocol = udp
port = 1294
filter = openvpn
logpath = /var/log/openvpn.log
bantime = -1
maxretry = 3

3) After that, I must restart the service fail2bal

service fail2ban stop
service fail2ban start

Is it possible to add the rule automatically in fail2ban (or to add the option to chose the protocol)?
Thank you
Marc

Reed · 20. Januar 2016

The general steps are:

1) Figure out in what file it is logging failures.
2) Create a regular expression based on the failures.
3) Create a filter file with the above regular expression.
4) Enter the information in the plugin.

From your post it's impossible to tell what you've done so far.

cypour · 21. Januar 2016

Are those steps documented somewhere and I missed it

openmediavault-fail2ban first version now available for testing

Jetzt mitmachen!

Tags