Install and Setup Fail2Ban on OwnCloud portsjail

Status
Not open for further replies.

1RoH

Dabbler
Joined
Sep 14, 2014
Messages
21
add the following to /usr/local/etc/fail2ban/jail.local
make sure to chagne the "logpath" to your owncloud.log location
Code (text):
  1. enabled = true
  2. filter = owncloud
  3. action = ipfw-owncloud
  4. logpath = /*Change_to_owncloud_data_dir*/owncloud.log
  5. maxretry = 3
  6. port = 80,443
  7. protocol = tcp

Thanks for the guide, gotta love the security! I got stock on this one, where exactly to place this info or i have to do it for whole sections in the jail.local?(if you please can clarify it for me) Thank you
 

MuneebMufti

Dabbler
Joined
May 5, 2014
Messages
36
fixed the issue i posted earlier but for some reason this never worked for me. didnt work when i set it up on owncloud 6.0.2 and its not banning ip on a newly made jail on owncloud 7.0.4
 
Last edited:

MuneebMufti

Dabbler
Joined
May 5, 2014
Messages
36
Hey SmallGuy, happy to see you are willing to take the challenge :) its well worth it.
I remember seeing a plugin for ClamAV a while back but it disapeared. Would like to hear how you make out with it.

Best of luck

Sent from my Nexus 4 using Tapatalk

Rickle if its not too much trouble for you... can you revise this guide whenever convenient? maybe create a demo setup of new portsjail on your server and do fresh install of owncloud 7.0.4 using joshua guide and then doing setup of fail2ban on it. I am pretty sure that version changes since the time you wrote the guide have messed up the configuration .
 

Darkk

Dabbler
Joined
Mar 29, 2014
Messages
32
Thanks for the write up. Took me awhile to figure out why the fail 2 ban would not work correctly. First reason is the newer version of OwnCloud changed the log info so had to fix that. Then had to hunt around as to why it wasn't banning the IPs until I realized one thing about jails. I pointed the path of owncloud.log in /usr/local/etc/fail2ban/jail.local to inside the /www/owncloud folder not the /mnt/jail folder. Once I changed it to /mnt/jail folder it started working perfectly. Just wanted to pass this info along if you got the path goofed up here like I did. "locate owncloud.log" only gave me the result of /www/owncloud so I assumed that is the path. Nope. lol.

add the following to /usr/local/etc/fail2ban/jail.local
make sure to chagne the "logpath" to your owncloud.log location
Code (text):
  1. enabled = true
  2. filter = owncloud
  3. action = ipfw-owncloud
  4. logpath = /*Change_to_owncloud_data_dir*/owncloud.log
  5. maxretry = 3
  6. port = 80,443
  7. protocol = tcp
 

adrianwi

Guru
Joined
Oct 15, 2013
Messages
1,231
Thanks for the guide! Took some struggling through, but eventually got there without having to ask any noob questions :D Good to have another layer of security on my owncloud instance, which is working great setting up using Joshua's guide.

To reinforce some points that others may learn from:

1. VIMAGE needs to be ON for the jail for IPFW to work. If it's not you'll get an error when trying to start the service. Don't follow the path that suggests rebuilding the kernel!
2. The format of the owncloud failed login attempt saved to owncloud.log changed at 7.0.2 - it's highlighted in this thread, but could be missed if you weren't reading carefully enough ;) It hasn't changed since, so still works in 7.0.4.
 
Last edited:

adrianwi

Guru
Joined
Oct 15, 2013
Messages
1,231
Anyone having problems with this after updating the 9.3 STABLE train?

I updated to 201503170439 last night and got flooded with ipfw messages in the console. Being somewhat of a noob, I eventually tracked this back to my ownCloud jail and the ipfw service i'd set-up through this tutorial for Fail2ban.

Code:
Mar 18 06:59:16 freenas1 kernel: <110>ipfw: 500 Deny UDP 192.168.168.50:17500 255.255.255.255:17500 in via epair1b
Mar 18 06:59:16 freenas1 kernel: <110>ipfw: 500 Deny UDP 192.168.168.50:17500 192.168.168.255:17500 in via epair1b
Mar 18 06:59:21 freenas1 kernel: <110>ipfw: 500 Deny UDP 192.168.168.50:59985 255.255.255.255:22936 in via epair1b
Mar 18 06:59:21 freenas1 kernel: <110>ipfw: 500 Deny UDP 192.168.168.82:49516 192.168.168.255:32414 in via epair1b
Mar 18 06:59:25 freenas1 kernel: <110>ipfw: 500 Deny UDP 192.168.168.1:5353 224.0.0.251:5353 in via epair1b


Stopped both services and the messages stopped, but would be good to understand what the update changed so I can fix and switch them back on.

Thanks

UPDATE

I've fixed this now by #ing out the last line of the ipfw.rules config:

Code:
# $IPF 500 deny log all from any to any


Fail2ban is still working, but not really sure what this actually means. Can anyone explain what this line was doing?
 
Last edited:

Victor866

Dabbler
Joined
Aug 10, 2014
Messages
17
I've an issue with this configuration.

I needed to modify /usr/local/etc/fail2ban/filter.d/owncloud.conf as:

Code:
{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}

With this, when I introduce 3 times the password for another wrong, the table 1 shows the IP banned but when I introduce the correct password I can access to my Owncloud.

In fact fail2ban is working properly, If I introduce 3 times the password with a wrong one, and I try to access to the jail directly using ssh I cannot because I'm banned. But with Owncloud this not happens.

EDIT:

Ok, If I keep the login window opened and write the correct password I can access to my Owncloud files, but if I close the tab or the browser and I try to access to the owncloud I cannot connect. It's like the owncloud remember the access to the login window and not check the fail2ban policies.

My /usr/local/etc/ipfw.rules:
Code:
IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
#firewall rule used by Fail2Ban to block traffic
$IPF 90 deny all from 'table(1)' to any
# open port DNS (53)
# http (80), https (4443) etc
$IPF 150 allow tcp from any to any 4443 in
$IPF 160 allow tcp from any to any 4443 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 220 allow tcp from any to any 443 in
$IPF 230 allow tcp from any to any 443 out

# deny and log everything
$IPF 500 deny log all from any to any


My /usr/local/etc/fail2ban/jail.local:
Code:
enabled  = true                                                      
filter  = owncloud                                                  
action  = ipfw-owncloud                                            
logpath  = /mnt/files/owncloud.log                                        
maxretry = 3                                                        
port = 80,443,4443                                                      
protocol = tcp
 
Last edited:

blahhumbug

Dabbler
Joined
Apr 25, 2015
Messages
22
My apologies for necroing a bit of an older thread. Like some earlier posts in this thread I ran into issues where existing connections could enter new passwords indefinitely and the ipfw table entry was not resulting in the IP being banned.

To solve this, I moved the 'deny all from table1' to be prior to both 'check-state' and 'allow tcp from any to any established' and now established nginx/SSL connections are succesfully denied as soon as the retry limit is hit and the IP is added to table 1.

Code:
IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
#firewall rule used by Fail2Ban to block traffic
#deny prior to established connection checks or
#existing connections persist for bruteforce attacks
$IPF 50 deny all from 'table(1)' to any
# statefull
$IPF 60 check-state
$IPF 70 allow tcp from any to any established
$IPF 80 allow all from any to any out keep-state
$IPF 90 allow icmp from any to any
# open port DNS (53)
# http (80), https (443) etc
$IPF 150 allow tcp from any to any 443 in
$IPF 160 allow tcp from any to any 443 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
# deny and log everything
$IPF 500 deny log all from any to any
 
Last edited:
Joined
Dec 2, 2015
Messages
730
With ownCloud 8.2, the /usr/local/etc/fail2ban/filter.d/owncloud.conf needed is:
Code:
[Definition]
failregex={"reqId":".*","remoteAddr":"<HOST>","app":"core","message":"Login failed: .*","level":2,"time":".*"}
ignoreregex =
 
Joined
Dec 2, 2015
Messages
730
With ownCloud 8.2, the /usr/local/etc/fail2ban/filter.d/owncloud.conf needed is:
Code:
[Definition]
failregex={"reqId":".*","remoteAddr":"<HOST>","app":"core","message":"Login failed: .*","level":2,"time":".*"}
ignoreregex =
This works on ownCloud 9 too.
 

rodofrn

Contributor
Joined
Apr 13, 2016
Messages
180
Hello, I followed the guide step by step, and it is NOT working :( When I log in with the wrong password 3+ times, and then put the right password, i can log in with no issues (meaning fail2ban is not working)

Here is the fail2ban log

GNU nano 2.4.3 File: /var/log/fail2ban.log


2016-04-28 12:34:14,316 fail2ban.server [76893]: INFO Changed logging $

2016-04-28 12:34:14,344 fail2ban.database [76893]: INFO Connected to fai$

2016-04-28 12:34:14,722 fail2ban.database [76893]: WARNING New database cre$

2016-04-28 12:34:14,723 fail2ban.jail [76893]: INFO Creating new jai$

2016-04-28 12:34:14,724 fail2ban.jail [76893]: INFO Jail 'haproxy-ht$

2016-04-28 12:34:14,735 fail2ban.filter [76893]: INFO Set jail log fil$

2016-04-28 12:34:14,735 fail2ban.jail [76893]: INFO Initiated 'polli$

2016-04-28 12:34:14,802 fail2ban.filter [76893]: INFO Added logfile = $

2016-04-28 12:34:14,802 fail2ban.filter [76893]: INFO Set maxRetry = 3

2016-04-28 12:34:14,803 fail2ban.filter [76893]: INFO Set jail log fil$

2016-04-28 12:34:14,803 fail2ban.actions [76893]: INFO Set banTime = 600

2016-04-28 12:34:14,803 fail2ban.filter [76893]: INFO Set findtime = 6$

2016-04-28 12:34:14,806 fail2ban.jail [76893]: INFO Jail 'haproxy-ht$

2016-04-28 12:34:31,661 fail2ban.server [76893]: INFO Stopping all jai$

2016-04-28 12:34:31,987 fail2ban.jail [76893]: INFO Jail 'haproxy-ht$

2016-04-28 12:34:32,025 fail2ban.server [76893]: INFO Exiting Fail2ban

2016-04-28 12:34:34,519 fail2ban.server [76913]: INFO Changed logging $

2016-04-28 12:34:34,520 fail2ban.database [76913]: INFO Connected to fai$

2016-04-28 12:34:34,569 fail2ban.jail [76913]: INFO Creating new jai$

2016-04-28 12:34:34,571 fail2ban.jail [76913]: INFO Jail 'haproxy-ht$

2016-04-28 12:34:34,581 fail2ban.filter [76913]: INFO Set jail log fil$

2016-04-28 12:34:34,581 fail2ban.jail [76913]: INFO Initiated 'polli$

2016-04-28 12:34:34,718 fail2ban.filter [76913]: INFO Added logfile = $

2016-04-28 12:34:34,719 fail2ban.filter [76913]: INFO Set maxRetry = 3

2016-04-28 12:34:34,719 fail2ban.filter [76913]: INFO Set jail log fil$

2016-04-28 12:34:34,719 fail2ban.actions [76913]: INFO Set banTime = 600

2016-04-28 12:34:34,720 fail2ban.filter [76913]: INFO Set findtime = 6$

2016-04-28 12:34:34,724 fail2ban.jail [76913]: INFO Jail 'haproxy-ht$

2016-04-28 12:50:16,755 fail2ban.server [76913]: INFO Stopping all jai$

2016-04-28 12:50:17,133 fail2ban.jail [76913]: INFO Jail 'haproxy-ht$

2016-04-28 12:50:17,185 fail2ban.server [76913]: INFO Exiting Fail2ban

2016-04-28 12:50:17,340 fail2ban.server [78766]: INFO Changed logging $

2016-04-28 12:50:17,340 fail2ban.database [78766]: INFO Connected to fai$

2016-04-28 12:50:17,379 fail2ban.jail [78766]: INFO Creating new jai$

2016-04-28 12:50:17,381 fail2ban.jail [78766]: INFO Jail 'haproxy-ht$

2016-04-28 12:50:17,391 fail2ban.filter [78766]: INFO Set jail log fil$

2016-04-28 12:50:17,391 fail2ban.jail [78766]: INFO Initiated 'polli$

2016-04-28 12:50:17,525 fail2ban.filter [78766]: INFO Added logfile = $

2016-04-28 12:50:17,525 fail2ban.filter [78766]: INFO Set maxRetry = 3

2016-04-28 12:50:17,526 fail2ban.filter [78766]: INFO Set jail log fil$

2016-04-28 12:50:17,526 fail2ban.actions [78766]: INFO Set banTime = 600

2016-04-28 12:50:17,526 fail2ban.filter [78766]: INFO Set findtime = 6$

2016-04-28 12:50:17,530 fail2ban.jail [78766]: INFO Jail 'haproxy-ht$

here is the ipfw table 1 list

root@ownCloud:/ # ipfw table 1 list

root@ownCloud:/ #


here is the other log

root@ownCloud:/ # cat /mnt/owncloud.log | grep password
cat: /mnt/owncloud.log: No such file or directory
root@ownCloud:/ #

Anybody has any idea what is going on?
 
Joined
Dec 2, 2015
Messages
730
fail2ban works by monitoring logs for failed log in attempts.

Where is owncloud.log located? Confirm that location is specified in /usr/local/etc/fail2ban/jail.local
 

rodofrn

Contributor
Joined
Apr 13, 2016
Messages
180
fail2ban works by monitoring logs for failed log in attempts.

Where is owncloud.log located? Confirm that location is specified in /usr/local/etc/fail2ban/jail.local
the file is in /usr/local/www/owncloud/data/owncloud.log...but in the jail.local, do I have to add all of these
lines

enabled = true
filter = owncloud
action = ipfw-owncloud
logpath = /usr/local/www/owncloud/data/owncloud.log $
maxretry = 3
port = 80,443
protocol = tcp

like at the end, or replace all, that part i DO NOT understand.
 

adrianwi

Guru
Joined
Oct 15, 2013
Messages
1,231
If you've followed Josh's guide to install ownCloud (which think you have) then it will be in /mnt/<pool_name>/ocfiles/owncloud.log (replacing <pool_name> with your pool name)

Also check the failregex setting in Kevin's post (50) above .
 
Joined
Dec 2, 2015
Messages
730
Another possible source of confusion is that if you changed the location for the owncloud log at some point after first starting nginx, it is possible that the old log is still there in the old location. Make sure that fail2ban is looking at the current owncloud log location.
 

rodofrn

Contributor
Joined
Apr 13, 2016
Messages
180
If you've followed Josh's guide to install ownCloud (which think you have) then it will be in /mnt/<pool_name>/ocfiles/owncloud.log (replacing <pool_name> with your pool name)

Also check the failregex setting in Kevin's post (50) above .
Another possible source of confusion is that if you changed the location for the owncloud log at some point after first starting nginx, it is possible that the old log is still there in the old location. Make sure that fail2ban is looking at the current owncloud log location.

Thanks guys, I did follow Joshua's guide, the location of the owncloud.log was in "/mnt/files/owncloud.log"
Thanks again.
 

MrUnknownEMC

Explorer
Joined
Feb 20, 2016
Messages
55
I have follow your steps to the word, when i restart my services everything looks alright but when go ownclound and tried typing incorrect password for more than 5 times (I set my
maxretry = 5) and still i can spam different password and when i check my logs which i include below. If i do list command to show if my ip is banned, it display nothing.



Code:
7:29:02,524 fail2ban.server         [56903]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.4.dev0       
7:29:02,525 fail2ban.database       [56903]: INFO    Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban.sqlite3' 
7:29:02,968 fail2ban.database       [56903]: WARNING New database created. Version '2'                                             
7:29:20,058 fail2ban.server         [56903]: INFO    Stopping all jails                                                             
7:29:20,058 fail2ban.server         [56903]: INFO    Exiting Fail2ban                                                               
7:29:20,253 fail2ban.server         [56980]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.4.dev0       
7:29:20,254 fail2ban.database       [56980]: INFO    Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban.sqlite3' 
7:42:37,805 fail2ban.server         [56980]: INFO    Stopping all jails                                                             
7:42:37,805 fail2ban.server         [56980]: INFO    Exiting Fail2ban                                                               
7:42:38,003 fail2ban.server         [57757]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.4.dev0       
7:42:38,004 fail2ban.database       [57757]: INFO    Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban.sqlite3' 
7:46:40,579 fail2ban.server         [57757]: INFO    Stopping all jails                                                             
7:46:40,580 fail2ban.server         [57757]: INFO    Exiting Fail2ban                                                               
7:46:45,931 fail2ban.server         [59407]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.4.dev0       
7:46:45,932 fail2ban.database       [59407]: INFO    Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban.sqlite3' 
7:53:30,193 fail2ban.server         [4951]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.4.dev0       
7:53:30,216 fail2ban.database       [4951]: INFO    Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban.sqlite3'   
8:05:05,742 fail2ban.server         [4951]: INFO    Stopping all jails                                                             
8:05:05,743 fail2ban.server         [4951]: INFO    Exiting Fail2ban                                                               
8:05:05,932 fail2ban.server         [11298]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.4.dev0       
8:05:05,932 fail2ban.database       [11298]: INFO    Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban.sqlite3' 
8:15:16,672 fail2ban.server         [11298]: INFO    Stopping all jails                                                             
8:15:16,673 fail2ban.server         [11298]: INFO    Exiting Fail2ban                                                               
8:15:16,865 fail2ban.server         [11735]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.4.dev0       
8:15:16,865 fail2ban.database       [11735]: INFO    Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban.sqlite3'



Thanks
 
Joined
Dec 2, 2015
Messages
730
Can you see the login failures in the owncloud log? Assuming fail2ban is looking for the owncloud log in the correct location, it is possible that the format of the log lines with the failed login attempts differs from what the regex is looking for. You can test the regex using the "fail2ban-regex" command. You'll have to read the man pages to get the syntax for "fail2ban-regex".
 

MrUnknownEMC

Explorer
Joined
Feb 20, 2016
Messages
55
Can you see the login failures in the owncloud log? Assuming fail2ban is looking for the owncloud log in the correct location, it is possible that the format of the log lines with the failed login attempts differs from what the regex is looking for. You can test the regex using the "fail2ban-regex" command. You'll have to read the man pages to get the syntax for "fail2ban-regex".


When i access the owncloud log at ~usr\pbi\owncloud-amd64\www\owncloud\data\owncloud.log it empty file, i did change the log file to this location during the setup. I dont see login failure log as the log file is empty, lol.
 
Joined
Dec 2, 2015
Messages
730
When i access the owncloud log at ~usr\pbi\owncloud-amd64\www\owncloud\data\owncloud.log it empty file, i did change the log file to this location during the setup. I dont see login failure log as the log file is empty, lol.
That log path looks like one for a plugin. All the instructions in this thread are about owncloud in a jail. I assume that fail2ban could be setup to work with owncloud as a plugin, but some of the paths would differ from those described in this thread.

Did you install the owncloud plugin, or did you manually create a jail and put owncloud in the jail?
 
Status
Not open for further replies.
Top