[GUIDE] fail2ban and owncloud

happyreacer · Jun 14th 2015

I use owncloud like the Instructions from Owncloud 8 and MySQL: alternative approach
Can i use fail2ban with thes and how can i use?

EDIT:
I have found a solution and i will write down here

happyreacer · Jun 19th 2015

You need a working Owncloud like the guid from Owncloud 8 and MySQL: alternative approach
and the fail2ban plugin.
I have test it with owncloud 8.0.4 and 8.1 but it is for 8.2 too

log on your omv system

go in to the config.php from owncloud like so:

Code

nano /media/UUID from the disk/owncloud/config/config.php

add code for example in Germany:

Code

'logtimezone' => 'Europe/Berlin',
  'log_type' => 'owncloud' ,
  'log_authfailip' => true,

save and go out from the config.php

make a filter for fail2ban:

Code

nano /etc/fail2ban/filter.d/owncloud.conf

copy for owncloud 8.2 the lines in the owncloud.conf:

Code

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
ignoreregex =

for owncloud 8.1 the lines in the owncloud.conf:

Code

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*"}
ignoreregex =

copy for owncloud 8.0.x the lines in the owncloud.conf:

Code

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}
ignoreregex =

it is different to owncloud 7

save and go out.
go in the OMV GUI to the fail2ban plugin
go to jails tab an add a new one
name: owncloud
Ports: the ports do you use for owncloud. perhaps 90,50443
max retry: perhaps 3
ban time: perhaps -1
filter: owncloud
log path: The path to your owncloud.log --> for example /media/UUID from the disk/owncloud/data/owncloud.log
activate the jail and fail2ban

you can test the jail on your omv system with:

Code

fail2ban-regex /media/UUID from the disk/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud.conf

grekazrail · Jul 10th 2015

Hi, i try to configue file2ban with you guide, but have some troubles.
File: /etc/fail2ban/jail.conf

Code

chain = INPUTaction_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(c$action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%$%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", cha$action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="$%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, $action = %(action_mwl)s[owncloud]enabled = yesport = 80, 443filter = owncloudlogpath = /var/log/owncloud.logbantime = 3600maxretry = 3

owncloud.conf

Code

[Definition]
failregex={"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '$
          {"reqId":".*","remoteAddr":"<HOST>","app":"core","message":"Login failed: .*","level"$

owncloud config.php

Code

'logtimezone' => 'Europe/Kiev',
  'log_type' => 'owncloud',
  'log_authfailip' => true,
  'logfile' => '/var/log/owncloud.log',
  'loglevel' => '2',

file2ban.log

Code

2015-07-10 22:07:29,222 fail2ban.server : INFO   Stopping all jails
2015-07-10 22:07:29,779 fail2ban.jail   : INFO   Jail 'owncloud' stopped
2015-07-10 22:07:29,780 fail2ban.server : INFO   Exiting Fail2ban
2015-07-10 22:07:30,221 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.lo$
2015-07-10 22:07:30,222 fail2ban.jail   : INFO   Creating new jail 'owncloud'
2015-07-10 22:07:30,223 fail2ban.jail   : INFO   Jail 'owncloud' uses poller
2015-07-10 22:07:30,256 fail2ban.filter : INFO   Added logfile = /var/log/owncloud.log
2015-07-10 22:07:30,257 fail2ban.filter : INFO   Set maxRetry = 3
2015-07-10 22:07:30,259 fail2ban.filter : INFO   Set findtime = 600
2015-07-10 22:07:30,260 fail2ban.actions: INFO   Set banTime = 3600
2015-07-10 22:07:30,281 fail2ban.jail   : INFO   Jail 'owncloud' started
2015-07-10 22:07:30,292 fail2ban.actions.action: ERROR  iptables -N fail2ban-owncloud
iptables -A fail2ban-owncloud -j RETURN
iptables -I INPUT -p tcp -m multiport --dports 80, 443 -j fail2ban-owncloud returned 200

Display More

owncloud.log

Code

{"reqId":"p1S\/cQhXxUG8AZty7VYL","remoteAddr":"::ffff:192.168.20.143","app":"core","message":"Login failed: 'dfgfdg' (Remote IP: '::ffff:192.168.20.143)","leve$
{"reqId":"JqOjJ9w34+XBV8QdctMq","remoteAddr":"::ffff:192.168.20.143","app":"core","message":"Login failed: 'dfgfdg' (Remote IP: '::ffff:192.168.20.143)","level$
{"reqId":"w80\/RpVvyZ1USK\/Y\/cXq","remoteAddr":"::ffff:192.168.20.143","app":"core","message":"Login failed: 'dfgfdgjghjg' (Remote IP: '::ffff:192.168.20.143)$
{"reqId":"NnnhtzAlyTsiRcVJ9\/li","remoteAddr":"::ffff:192.168.20.143","app":"core","message":"Login failed: 'dfgfdgjghjg' (Remote IP: '::ffff:192.168.20.143)",$
{"reqId":"1L2jcXZPO1yGWPHVTmZs","remoteAddr":"::ffff:192.168.20.143","app":"core","message":"Login failed: 'dfgfdgjghjgertert' (Remote IP: '::ffff:192.168.20.1$
{"reqId":"F+061eL29K2t\/HLuxO6W","remoteAddr":"::ffff:192.168.20.143","app":"core","message":"Login failed: 'dfgfdgjghjgertert' (Remote IP: '::ffff:192.168.20.$
{"reqId":"XErrVvzPEGUMfAgEkH1Q","remoteAddr":"::ffff:192.168.20.143","app":"core","message":"Login failed: 'dfgfdgjghjgertert' (Remote IP: '::ffff:192.168.20.1$
{"reqId":"Np7RpNHDSMqxQUJRtEMZ","remoteAddr":"::ffff:192.168.20.143","app":"core","message":"Login failed: 'dfgfdgjghjgertert' (Remote IP: '::ffff:192.168.20.1$
{"reqId":"Vfz2y14i1rviPZFHWoVH","remoteAddr":"::ffff:192.168.20.143","app":"core","message":"Login failed: 'dfgfdgjghjgertert' (Remote IP: '::ffff:192.168.20.1$

and test of fail2ban

Code

root@openmediavault:~# fail2ban-regex /var/log/owncloud.log /etc/fail2ban/filter.d/owncloud.conf


Running tests
=============


Use regex file : /etc/fail2ban/filter.d/owncloud.conf
Use log file   : /var/log/owncloud.log


Results
=======


Failregex
|- Regular expressions:
|  [1] {"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}
|
`- Number of matches:
   [1] 0 match(es)


Ignoreregex
|- Regular expressions:
|
`- Number of matches:


Summary
=======


Sorry, no match


Look at the above section 'Running tests' which could contain important
information.

Display More

PLS help me to configue fail2ban plugin

happyreacer · Jul 12th 2015

how version of owncloud do you use?

grekazrail · Jul 13th 2015

ownCloud 8.1.0 (stable)

happyreacer · Jul 13th 2015

sorry, i don't test fail2ban with owncloud 8.1. I have other errors in owncloud 8.1 and i down't know to fix it (see Owncloud 8 and MySQL: alternative approach )

tinh_x7 · Jul 20th 2015

I need a Fail2Ban guide for OC v8.1.0.

happyreacer · Jul 20th 2015

same changes like the first therd only an other filter:

OC 8.1:

Code

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*"}
ignoreregex =

we can make an own forumchannel for owncloud in omv

tinh_x7 · Jul 20th 2015

Thanks 'happyreacer'.
I'll try it out tonight.

happyreacer · Jul 20th 2015

I wish you success

grekazrail · Jul 20th 2015

I tested new regex, and it work, but fail2ban dont blocking IP-s with fail logins

happyreacer · Jul 20th 2015

can you post your config? MySQL sqlite / omv 1.x or 2.x / oc version...
how looks your status in your omv service fail2ban?

Code

|  |- Currently failed:    1
|  `- Total failed:    2
`- action
   |- Currently banned:    0
   |  `- IP list:
   `- Total banned:    0

can you see a number on total failed ?

grekazrail · Jul 20th 2015

Status
|- Number of jail: 1
`- Jail list: owncloud

================================================================================
= OS/Debian information
================================================================================
Distributor ID: debian
Description: Debian GNU/Linux 7 (wheezy)
Release: 7.8
Codename: wheezy

================================================================================
= OpenMediaVault information
================================================================================
Release: 2.1.1
Codename: Stone burner

happyreacer · Jul 20th 2015

what does your option from the jail in omv have?

Code

max retry:
ban time:

grekazrail · Jul 20th 2015

max retry: 3
ban time: 3600

happyreacer · Jul 20th 2015

and you test it with minimum 3 wrong passwords in owncloud WebGUI?
I see you have only

Code

| |- Currently failed: 2

tested

happyreacer · Jul 20th 2015

@grekazrail please give me a feedback

grekazrail · Jul 20th 2015

ok, i try to login via web gui, insert many times, more than 10 whith pause in 5-10sec. In log
Status
|- Number of jail: 1
`- Jail list: owncloud

I see that Currently failed dont changes more then 2, and total failed is +1 avery times when i failed login/
And, |- Currently banned: 1| `- IP list: 192.168.20.143`- Total banned: 1 - this IP of my host, but I can access to owncloud web gui logon page every time

happyreacer · Jul 20th 2015

ah, okay... hmmm

Code

| |- Currently failed: 2

is an other thing what i meen. sorry, but i think it work. You have banned ip.

grekazrail · Jul 20th 2015

ok, may be its work, but I can access to owncloud web gui from banned IP.
May be I must write something to iptables?

Participate now!