Hallo zusammen
Ich wollte mein Nextcloud Jail mittsels fail2ban absichern. fail2ban reagiert und mittels Befehl: fail2ban-client status nextcloud sehe ich auch das gebannt wurde, ich aber leider immer noch auf die nextcloud zugreiffen kann. Ich vermutte es liegt an einer Fehlkonfiguration in der action.d/ipfw-nextcloud.local oder an der ipfw.rules .
Im Log des fail2ban steht oft alredy banned:
Meine Installation:
/etc/rc
/usr/local/etc/ipfw.rules <-- hier ist vermutlich der Fehler drin?
/usr/local/etc/fail2ban/jail.d/nextcloud.conf
/usr/local/etc/fail2ban/filter.d/nextcloud.conf
/usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf <-- oder Fehler hier???
/usr/local/www/nextcloud/config/condig.php
fail2ban-regex /var/log/nextcloud.log /usr/local/etc/fail2ban/filter.d/nextcloud.conf
funktioniert ebenfalls und gibt:
Lines: 89 lines, 0 ignored, 77 matched, 12 missed
aus. Ich hoffe Ihr könnt mir weiterhelfen.
Gruss und Danke
Ich wollte mein Nextcloud Jail mittsels fail2ban absichern. fail2ban reagiert und mittels Befehl: fail2ban-client status nextcloud sehe ich auch das gebannt wurde, ich aber leider immer noch auf die nextcloud zugreiffen kann. Ich vermutte es liegt an einer Fehlkonfiguration in der action.d/ipfw-nextcloud.local oder an der ipfw.rules .
Im Log des fail2ban steht oft alredy banned:
2021-05-29 00:36:54,898 fail2ban.server [7150]: INFO --------------------------------------------------
2021-05-29 00:36:54,899 fail2ban.server [7150]: INFO Starting Fail2ban v0.11.2
2021-05-29 00:36:54,899 fail2ban.server [7150]: INFO Daemon started
2021-05-29 00:36:54,900 fail2ban.observer [7150]: INFO Observer start...
2021-05-29 00:36:54,940 fail2ban.database [7150]: INFO Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban.sqlite3'
2021-05-29 00:36:54,941 fail2ban.jail [7150]: INFO Creating new jail 'nextcloud'
2021-05-29 00:36:54,949 fail2ban.jail [7150]: INFO Jail 'nextcloud' uses pyinotify {}
2021-05-29 00:36:54,954 fail2ban.jail [7150]: INFO Initiated 'pyinotify' backend
2021-05-29 00:36:54,956 fail2ban.datedetector [7150]: INFO date pattern `',?\\s*"time"\\s*:\\s*"%Y-%m-%d[T ]%H:%M:%S(%z)?"'`: `,?\s*"time"\s*:\s*"Year-Month-Day[T ]24hour:Minute:Second(Zone offset)?"`
2021-05-29 00:36:54,956 fail2ban.filter [7150]: INFO maxRetry: 1
2021-05-29 00:36:54,956 fail2ban.filter [7150]: INFO findtime: 43200
2021-05-29 00:36:54,956 fail2ban.actions [7150]: INFO banTime: 86400
2021-05-29 00:36:54,956 fail2ban.filter [7150]: INFO encoding: UTF-8
2021-05-29 00:36:54,956 fail2ban.filter [7150]: INFO Added logfile: '/var/log/nextcloud.log' (pos = 56404, hash = bcf05742b9aa2c23cbaf33e3d3c1e9ea96170ac8)
2021-05-29 00:36:55,094 fail2ban.jail [7150]: INFO Jail 'nextcloud' started
2021-05-29 00:36:55,173 fail2ban.actions [7150]: NOTICE [nextcloud] Restore Ban 444.333.111.22
2021-05-29 00:37:45,202 fail2ban.filter [7150]: INFO [nextcloud] Found 444.333.111.22 - 2021-05-29 00:37:45
2021-05-29 00:37:45,828 fail2ban.actions [7150]: WARNING [nextcloud] 444.333.111.22 already banned
2021-05-29 00:38:42,279 fail2ban.filter [7150]: INFO [nextcloud] Found 444.333.111.22 - 2021-05-29 00:38:42
2021-05-29 00:38:42,923 fail2ban.actions [7150]: WARNING [nextcloud] 444.333.111.22 already banned
2021-05-29 00:39:39,502 fail2ban.filter [7150]: INFO [nextcloud] Found 444.333.111.22 - 2021-05-29 00:39:39
2021-05-29 00:39:40,033 fail2ban.actions [7150]: WARNING [nextcloud] 444.333.111.22 already banned
Meine Installation:
/etc/rc
Code:
firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules" fail2ban_enable="YES"
/usr/local/etc/ipfw.rules <-- hier ist vermutlich der Fehler drin?
Code:
IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag # statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 80 allow icmp from any to any #firewall rule used by Fail2Ban to block traffic $IPF 90 deny all from 'table(1)' to any # open port DNS (53) # http (80), https (443) etc $IPF 150 allow tcp from any to any 443 in $IPF 160 allow tcp from any to any 443 out $IPF 170 allow udp from any to any 53 in $IPF 175 allow tcp from any to any 53 in $IPF 180 allow udp from any to any 53 out $IPF 185 allow tcp from any to any 53 out $IPF 200 allow tcp from any to any 80 in $IPF 210 allow tcp from any to any 80 out $IPF 220 allow tcp from any to any 22 in $IPF 230 allow tcp from any to any 22 out # deny and log everything $IPF 500 deny log all from any to any
/usr/local/etc/fail2ban/jail.d/nextcloud.conf
Code:
[nextcloud] enabled = true filter = nextcloud action = ipfw-nextcloud logpath = /var/log/nextcloud.log maxretry = 1 port = 80,443 protocol = tcp
/usr/local/etc/fail2ban/filter.d/nextcloud.conf
Code:
[Definition] _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed: ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error. datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
/usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf <-- oder Fehler hier???
Code:
[Definition] actionstart = actionstop = actioncheck = actionban = ipfw table 1 add <ip> actionunban = ipfw table 1 delete <ip> [Init] port = https localhost = 192.168.101.3 blocktype = unreach port
/usr/local/www/nextcloud/config/condig.php
Code:
'logtimezone' => 'Europe/Zurich', 'Log_authfailip' => true, 'logfile' => '/var/log/nextcloud.log', 'loglevel' => 2,
fail2ban-regex /var/log/nextcloud.log /usr/local/etc/fail2ban/filter.d/nextcloud.conf
funktioniert ebenfalls und gibt:
Lines: 89 lines, 0 ignored, 77 matched, 12 missed
aus. Ich hoffe Ihr könnt mir weiterhelfen.
Gruss und Danke