[GUIDE] fail2ban and owncloud

happyreacer · 20. Juli 2015

@pr_bond can help? I don't have enough knowledge

tinh_x7 · 21. Juli 2015

I can see owncloud show invalid log-in, but it didn't ban me from the IP I'm logged in.
I enabled Fail2Ban, but when I went to services in OMV, it said: "Failed to execute command 'fail2ban-client status"....

happyreacer · 21. Juli 2015

i don't have a loglevel In my owncloud config.php and i use the default logfile in the same hdd. But i can't interpret anything in fail2ban error.
I'm not so deep in the development.
@pr_bond please can you look on this?

tinh_x7 · 22. Juli 2015

I found the errors that caused my fail2ban service unable to turn on.

Fail2Ban only allow the following jails turn on at the same time:

1. apache-noscript
2. owncloud
3. ssh

Meaning I can only have these three jails running at the same time.
If I turn on additional jails filter, fail2ban will not run for me.

The fail2ban is now working, but there is a glitch.
My filter is set to ban bad-login IP for 15 min.
However, after 15 min, it worked.
Then I restart OMV, somehow fail2ban automatically re-ban the previous IP again without anybody try to log in.
In order for me to fix this, I have to clear the owncloud.log.

pr_bond · 28. Juli 2015

Hi

Source : http://www.rojtberg.net/711/secure-owncloud-server/

You can change your owncloud jail file by this :

/etc/fail2ban/filter.d/owncloud.conf

Code

[Definition]
failregex = {"app":"core","message":"Login failed:(.*) , wrong password, IP:<HOST>","level":2,"time":".*"}
            {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}
            {"reqId":".*","remoteAddr":"<HOST>","app":"core","message":"Login failed: .*","level":2,"time":".*"}
ignoreregex =

The first line is for owncloud <= 7.0.1. (for 6.0.4 openMediaVault-owncloud 1.4)
The second for owncloud 7.0.2-7.05
and the bottom one for owncloud 8.

pr_bond · 28. Juli 2015

@tinh_x7

>The fail2ban is now working, but there is a glitch.
>My filter is set to ban bad-login IP for 15 min.
>However, after 15 min, it worked.
It is bizard, have you restart fail2ban service ?
whats's 'service fail2ban status show' ?
whats's 'fail2ban-client status show' ?

>Then I restart OMV, somehow fail2ban automatically re-ban the previous IP again without anybody try to log in.In order for me to fix this, I have to clear the owncloud.log.
It is normal, you have to clear the log file if it's a good ip ...
You can add good ip on IgnoreIp : 127.0.0.1 192.168.0.1 192.168.0.2

tinh_x7 · 28. Juli 2015

Code

Status
|- Number of jail:      3
`- Jail list:           owncloud, apache-noscript, ssh
`- action
   |- Currently banned:    1
   |  `- IP list: 192.111.000.141
   `- Total banned:    1

Code

Status of authentication failure monitor:fail2ban is running.

I notice that your OC v8 code is different from happyreacer's code:

Code

failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*"}

I just want to confirm that this code for OC v8 is working for me:

Code

failregex = {"reqId":".*","remoteAddr":"<HOST>","app":"core","message":"Login failed: .*","level":2,"time":".*"}

Thanks, pr_bond.

pr_bond · 11. August 2015

For info openmediavault-fai2ban 1.1.4 have now owncloud jail included

happyreacer · 13. August 2015

Zitat

For info openmediavault-fai2ban 1.1.4 have now owncloud jail included

Thanks!
only for the plugin owncloud version!

tinh_x7 · 21. August 2015

@pr_bond,

So your F2B jail is for only owncloud plugin, not the one we install manually?

I just tested F2B on OMV and OwnCloud, and I found out this:

Fail2Ban recorded & email me all the details that I need for OwnCloud's incorrect login attempts such as IP, time stamp, ...
However, for OMW admin's failed log in, it's only banned , and send me the recorded the time stamp, but it didn't give me the IP or the device info.
I modified the OMV F2B's jail to ban for 15 mins, but it din't work.
It's only banned for 3 minutes.

How do I change OMV failed to ban longer than 3 mins, and record failed IP login?

I got these notifications in my email from OMV:

Zitat

Too many failed login attempts from user 'admin' [server.mydomain.com]
User 'admin' has been banned at Aug 20 19:41:04 after 14 failed login attempts. Access is denied for 3 minutes. After that time, the user is able to log in again with the correct password.
User 'admin' has been banned at Aug 20 19:38:33 after 13 failed login attempts. Access is denied for 3 minutes. After that time, the user is able to log in again with the correct password.

pr_bond · 21. August 2015

No fail2ban is not only for owncloud ..
Fail2ban is for ftp, ssh, apache, nginx ... a lot services

You should change ban time for jail you want.
900 / 60 = 15 min is right, you save and apply modification.

It Is strange, could you deactivate fail2ban and reactivate it.

See Status in : Diagnostic->services->Fail2ban

tinh_x7 · 21. August 2015

I'll try.

But do I need to keep this settings or remove it since F2B have owncloud jail now?

Zitat

log on your omv system

go in to the config.php from owncloud like so:
Source Code
nano /media/UUID from the disk/owncloud/config/config.php

add code for example in Germany:
Source Code
'logtimezone' => 'Europe/Berlin',
'log_type' => 'owncloud' ,
'log_authfailip' => true,

save and go out from the config.php
make a filter for fail2ban:
Source Code
nano /etc/fail2ban/filter.d/owncloud.conf

copy for owncloud 8.1 the lines in the owncloud.conf:
Source Code
[Definition]
failregex = {"reqId":".*","remoteAddr":"<HOST>","app":"core","message":"Login failed: .*","level":2,"time":".*"}

Alles anzeigen

pr_bond · 21. August 2015

Zitat

log on your omv system

go in to the config.php from owncloud like so:
Source Code
nano /media/UUID from the disk/owncloud/config/config.php

add code for example in Germany:
Source Code
'logtimezone' => 'Europe/Berlin',
'log_type' => 'owncloud' ,
'log_authfailip' => true,

save and go out from the config.php

make a filter for fail2ban:
Source Code
nano /etc/fail2ban/filter.d/owncloud.conf

copy for owncloud 8.1 the lines in the owncloud.conf:
Source Code
[Definition]
failregex = {"reqId":".*","remoteAddr":"<HOST>","app":"core","message":"Login failed: .*","level":2,"time":".*"}

Alles anzeigen

The owncloud jail is included now for you

tinh_x7 · 22. August 2015

I just removed the /etc/fail2ban/filter.d/owncloud.conf , but Fail2Ban is unable to run.
Edit: So, I have to re-added the owncloud.conf, F2B is now running fine.

Code

Error #4000:
exception 'OMVException' with message 'Failed to execute command 'fail2ban-client status 2>&1': ERROR  Unable to contact server. Is it running?' in /usr/share/openmediavault/engined/rpc/fail2ban.inc:368
Stack trace:
#0 [internal function]: OMVRpcServiceFail2ban->getStats(NULL, Array)
#1 /usr/share/php/openmediavault/rpcservice.inc(125): call_user_func_array(Array, Array)
#2 /usr/share/php/openmediavault/rpc.inc(79): OMVRpcServiceAbstract->callMethod('getStats', NULL, Array)
#3 /usr/sbin/omv-engined(500): OMVRpc::exec('Fail2Ban', 'getStats', NULL, Array, 1)
#4 {main}

Code

$ sudo fail2ban-client start
WARNING 'findtime' not defined in 'ssh'. Using default value
WARNING 'findtime' not defined in 'ssh-ddos'. Using default value
WARNING 'findtime' not defined in 'apache-noscript'. Using default value
WARNING 'findtime' not defined in 'apache-404'. Using default value
WARNING 'findtime' not defined in 'proftp'. Using default value
WARNING 'findtime' not defined in 'owncloud'. Using default value
ERROR  /etc/fail2ban/filter.d/owncloud.conf and /etc/fail2ban/filter.d/owncloud.local do not exist
ERROR  Unable to read the filter
ERROR  Errors in jail 'owncloud'. Skipping...

Mio · 6. September 2015

hi there, same issue here:

root@raspberrypi:~# fail2ban-client start
WARNING 'findtime' not defined in 'ssh'. Using default value
WARNING 'findtime' not defined in 'dropbear'. Using default value
WARNING 'findtime' not defined in 'pam-generic'. Using default value
WARNING 'findtime' not defined in 'xinetd-fail'. Using default value
WARNING 'findtime' not defined in 'ssh-ddos'. Using default value
WARNING 'findtime' not defined in 'apache'. Using default value
WARNING 'findtime' not defined in 'apache-multiport'. Using default value
WARNING 'findtime' not defined in 'apache-noscript'. Using default value
WARNING 'findtime' not defined in 'apache-overflows'. Using default value
WARNING 'findtime' not defined in 'vsftpd'. Using default value
WARNING 'findtime' not defined in 'proftpd'. Using default value
WARNING 'findtime' not defined in 'pure-ftpd'. Using default value
WARNING 'findtime' not defined in 'wuftpd'. Using default value
WARNING 'findtime' not defined in 'postfix'. Using default value
WARNING 'findtime' not defined in 'couriersmtp'. Using default value
WARNING 'findtime' not defined in 'courierauth'. Using default value
WARNING 'findtime' not defined in 'sasl'. Using default value
WARNING 'findtime' not defined in 'dovecot'. Using default value
WARNING 'findtime' not defined in 'named-refused-tcp'. Using default value
2015-09-06 12:11:28,360 fail2ban.server : INFO Starting Fail2ban v0.8.6
2015-09-06 12:11:28,362 fail2ban.server : INFO Starting in daemon mode

it looks like the f2b still takes all the conf files from the /etc/fail2ban/filter.d/ directory

tinh_x7 · 9. Oktober 2015

There is an app called "ExtraSecurity" on OwnCloud.
Anybody knows if this will have any conflict when using with Fail2Ban OC jail?

Jetzt mitmachen!