Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Install and Setup Fail2Ban on OwnCloud portsjail

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE
Status
Not open for further replies.

Rickle

Member
Joined
Aug 14, 2013
Messages
38
This guide is to show how I setup Fail2ban on my Owncloud portjail setup.
This will not work with an OwnCloud plugin jail! this is only for manually installed owncloud in a portjail as seen in this post. Thank to Joshua for an awsome tutorial

Fail2Ban will lock out any ip address that fails to provide an appropriate password for 3 attemps.
this will avoid DOS attacks and Brute Force attacks.

Make sure your OwnCloud install is working properly and your configuration files are backed up before proceeding. this allows you to restore to the working state in the event you are having issues with this setup.

Setup IPFW
IPFW (IP firewall) should be installed in the jail by default

add this line in: /etc/rc.conf
Code:
    firewall_enable="YES"
    firewall_script="/usr/local/etc/ipfw.rules"                               
    fail2ban_enable="YES"  


edit the ipfw rules file /usr/local/etc/ipfw.rules
Code:
IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
 
#firewall rule used by Fail2Ban to block traffic
$IPF 90 deny all from 'table(1)' to any
 
# open port DNS (53)
# http (80), https (443) etc
$IPF 150 allow tcp from any to any 443 in
$IPF 160 allow tcp from any to any 443 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
# deny and log everything
$IPF 500 deny log all from any to any

Check your firewall Rules:​
Code:
ipfw list
Setup Fail2BAN
Fail2Ban installation:
Code:
pkg install security/py-fail2ban
Configuration:
Code:
cd /usr/local/etc/fail2ban
cp fail2ban.conf fail2ban.local
cp jail.conf jail.local

add the following to /usr/local/etc/fail2ban/jail.local​
make sure to chagne the "logpath" to your owncloud.log location​
Code:
enabled  = true                                                           
filter  = owncloud                                                       
action  = ipfw-owncloud                                                 
logpath  = /*Change_to_owncloud_data_dir*/owncloud.log                                             
maxretry = 3                                                             
port = 80,443                                                           
protocol = tcp 


add the following to /usr/local/etc/fail2ban/filter.d/owncloud.conf​
Code:
[Definition]                                                             
failregex = {"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>.*
ignoreregex =

Code:
cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-owncloud.conf
edit the following lines in /usr/local/etc/fail2ban/action.d/ipfw-owncloud.conf​
Code:
actionban = ipfw table 1 add <ip>
actionunban = ipfw table 1 delete <ip>

this directory will allow the Socket for fail2ban to be created as required in fail2ban.local​
Code:
mkdir /var/run/fail2ban
add the following lines to /usr/local/www/owncloud/config/config.php​
replace #### with your timezone. see here for possible timezone entries​
Code:
'log_authfailip' => true,
'logtimezone' => '####/####',

restart all relevent services:​
Code:
service nginx restart
service php-fpm restart
service fail2ban restart
service ipfw restart


test by entering the wrong password more than 3 time
***if it works, your IP will be blocked from your owncloud for 10 minutes***

if it does not work, you may verrify the following
check the fail2ban logs at
Code:
/var/log/fail2ban.log

check the firewall table to see if an ip has been added
Code:
ipfw table 1 list

check your owncloud.log for failed login attemps
Code:
cat /mnt/owncloud.log | grep password
 

SmallGuy

Neophyte Sage
Joined
Jun 7, 2013
Messages
560
Thanks for this post, I'm going to install Owncloud and ask myself how to do it right. I think this post and the Joshua one will help me to make an Owncloud customized install on a portjail.
Think I change some 'ipfw. rules', as I need other rules like SMTP outgoing traffic, and I will probably deny http traffic when 'all' is configured properly.
But I like the idea to block the access after 3 fail login attempts...
I want to add ClamAV also to scan the upload files.
Some job in perspective....:)
 

Rickle

Member
Joined
Aug 14, 2013
Messages
38
Hey SmallGuy, happy to see you are willing to take the challenge :) its well worth it.
I remember seeing a plugin for ClamAV a while back but it disapeared. Would like to hear how you make out with it.

Best of luck

Sent from my Nexus 4 using Tapatalk
 

Aubury

Junior Member
Joined
Mar 27, 2014
Messages
15
I tried to set this up, doesn't seem to work, this was my fail2ban.log
Code:
014-03-27 21:15:24,815 fail2ban.server [15979]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.12
2014-03-27 21:15:24,816 fail2ban.jail  [15979]: INFO    Creating new jail 'ssh-blocklist'
2014-03-27 21:15:24,816 fail2ban.jail  [15979]: INFO    Jail 'ssh-blocklist' uses poller
2014-03-27 21:15:24,834 fail2ban.jail  [15979]: INFO    Initiated 'polling' backend
2014-03-27 21:15:24,834 fail2ban.filter [15979]: INFO    Added logfile = /mnt/files/owncloud.log
2014-03-27 21:15:24,835 fail2ban.filter [15979]: INFO    Set maxRetry = 5
2014-03-27 21:15:24,836 fail2ban.filter [15979]: INFO    Set findtime = 600
2014-03-27 21:15:24,836 fail2ban.actions[15979]: INFO    Set banTime = 600
2014-03-27 21:15:24,837 fail2ban.filter [15979]: ERROR  No 'host' group in '{"app":"core","message":"Login failed: user '.*' , wrong password, I'
2014-03-27 21:15:24,837 fail2ban.comm  [15979]: WARNING Command ['set', 'ssh-blocklist', 'addfailregex', '{"app":"core","message":"Login failed: user \'.*\' , wrong password, I'] has failed. Received RegexException('No \'host\' group in \'{"app":"core","message":"Login failed: user \'.*\' , wrong password, I\'',)

Unsure what I did wrong, perhaps you can help.
 

Rickle

Member
Joined
Aug 14, 2013
Messages
38
Looks like fail2ban is failing while setting up for ssh. It might be a default seting that needs to be disabled, comented out. Ill have to check my configs to compare.

Sent from my Nexus 4 using Tapatalk
 

Rickle

Member
Joined
Aug 14, 2013
Messages
38
check your jail.d file to make sure SSH is set to disabled (or configure it as needed)
the file should be located under /usr/local/fail2ban/

my SSH configurations in Jail.d are set to:
enabled = false
filter = sshd
hope that helps
 

Aubury

Junior Member
Joined
Mar 27, 2014
Messages
15
check your jail.d file to make sure SSH is set to disabled (or configure it as needed)
the file should be located under /usr/local/fail2ban/

my SSH configurations in Jail.d are set to:
enabled = false
filter = sshd
hope that helps
I assumed you meant /usr/local/etc/fail2ban cause /usr/local/fail2ban doesn't exist ;) I looked at jail.local (I think that's what I needed to look at) anything that mentioned ssh or sshd were enabled = false
Code:
[ssh-iptables]
 
enabled  = false
filter  = sshd
action  = iptables[name=SSH, port=ssh, protocol=tcp]
          sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@examp$
logpath  = /var/log/auth.log
maxretry = 5
[/CODE]
 

xtuh

Neophyte
Joined
Mar 30, 2014
Messages
5
sorry for noob question.
i have installed OC inside standart jail and i cant find owncloud.log
where it must be by default?
 

xtuh

Neophyte
Joined
Mar 30, 2014
Messages
5
Thanks.
in my case log was in /usr/local/www/owncloud/data/owncloud.log
 

Rickle

Member
Joined
Aug 14, 2013
Messages
38
Thanks.
in my case log was in /usr/local/www/owncloud/data/owncloud.log
It looks like the data directory is inside your Jail (i might be wrong). I would recommend you mount a dataset from from freenas instead of using the jail as storage. That way, your data is stored on a dataset instead of being stored on the owncloud jail. This make things easier to recover in the event your jail ever fails.

Sent from my Nexus 4 using Tapatalk
 

xtuh

Neophyte
Joined
Mar 30, 2014
Messages
5
is it a good idea to give dataset a quota, for example 500 Gb, and increase it if needed?
 

Rickle

Member
Joined
Aug 14, 2013
Messages
38
is it a good idea to give dataset a quota, for example 500 Gb, and increase it if needed?
I guess it depends on what you want to do. You sure can setup a quota in freenas. Owncloud also has quotas that you can set per user, i would think that would be the best bet.

Sent from my Nexus 4 using Tapatalk
 

Aubury

Junior Member
Joined
Mar 27, 2014
Messages
15
I guess it depends on what you want to do. You sure can setup a quota in freenas. Owncloud also has quotas that you can set per user, i would think that would be the best bet.

Sent from my Nexus 4 using Tapatalk
I do both, I originally had it so it used the jails quota, which at the time didn't have a quota, so any time another dataset used storage the total disk space reported to owncloud would decrease, so I just gave it a dataset with its own size so the percentage of storage used reported by owncloud is more accurate.
 

marian78

Member
Joined
Jun 30, 2011
Messages
207
I find maybe whats wrong:

here is original of /usr/local/etc/fail2ban/filter.d/owncloud.conf:

  1. [Definition]
  2. failregex = {"app":"core","message":"Login failed: user '.*' , wrong password, I
  3. P:<HOST>.*
  4. ignoreregex =

Row 2. and 3. is same row:

  1. [Definition]
  2. failregex = {"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>.*}
  3. ignoreregex =

Marian L.
 

Rickle

Member
Joined
Aug 14, 2013
Messages
38
Thanks for pointing that out Marian, i fixed the formating issue.

Sent from my Nexus 4 using Tapatalk
 

mrMuppet

Member
Joined
Mar 14, 2014
Messages
191
I tried you tutorial, but i can't get it to work:
if i use three wrong passwords i can find it in the owncloud.log and also if i type "ipfw list". It shows me:
Code:
00100 unreach port tcp from 192.168.178.202 to 127.0.0.1 dst-port 22
65535 allow ip from any to any

but i can still login to owncloud. After 10 minutes the first line of "ipfw list" is gone.

"ipfw table 1 list" doesen't show anything.

What can i do?

Edit: when i restart ipfw i get:

Code:
root@owncloud:/ # service ipfw restart
net.inet.ip.fw.enable: 1 -> 0
net.inet6.ip6.fw.enable: 1 -> 0
'pfw: bad command `flush
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
: not foundetc/ipfw.rules:
'pfw: bad command `add
: not foundetc/ipfw.rules:
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
'pfw: bad command `add
Firewall rules loaded.


Edit: [SOLVED] used wrong editor for ipfw.rules (some wrong "^M" at the end of each line) and checked alle other edited files... now it workes!!
 

HenningS

Neophyte
Joined
Apr 7, 2014
Messages
5
If you have a seperate volume for your owncloud data folder like me than just create a cronjob that copies your owncloud.log from your data directory into your owncloud jail. That did it for me. Let the job run every minute..
 

MuneebMufti

Member
Joined
May 5, 2014
Messages
36
I have ownCloud installed in PortsJail according to Joshua guide accordin to your OP. I followed your guide to installing fail2ban it worked fine. My problem is that when I tested the firewall with wrong password I can retry as many times as I want and my access is not restricted after 3 incorrect attempts. I tried wrong password 4 or 5 times in a row and on the next attempt I wrote correct and I could access my account. I checked the logs and they show that my ip was banned after 3rd attempt but I can still access the login page and keep trying. where did I go wrong ?

My owncloud is version 6.0.2 and here is dump of my fail2ban.log file.

06 15:14:50,872 fail2ban.jail [48586]: INFO Jail 'owncloud' stopped
06 15:14:50,873 fail2ban.server [48586]: INFO Exiting Fail2ban
06 15:14:53,494 fail2ban.server [48603]: INFO Changed logging target to /var/
06 15:14:53,495 fail2ban.jail [48603]: INFO Creating new jail 'owncloud'
06 15:14:53,496 fail2ban.jail [48603]: INFO Jail 'owncloud' uses poller
06 15:14:53,518 fail2ban.jail [48603]: INFO Initiated 'polling' backend
06 15:14:53,519 fail2ban.filter [48603]: INFO Added logfile = /files/owncloud
06 15:14:53,520 fail2ban.filter [48603]: INFO Set maxRetry = 3
06 15:14:53,521 fail2ban.filter [48603]: INFO Set findtime = 600
06 15:14:53,521 fail2ban.actions[48603]: INFO Set banTime = 600
06 15:14:53,527 fail2ban.jail [48603]: INFO Jail 'owncloud' started
06 15:16:10,605 fail2ban.actions[48603]: WARNING [owncloud] Ban 10.147.161.168

and here is owncloud.log dump

47.161.168","level":2,"time":"2014-05-05T20:04:02+05:00"}
{"app":"core","message":"Login failed: user 'testuser' , wrong password, IP:10.1
47.161.168","level":2,"time":"2014-05-05T20:04:04+05:00"}
{"app":"core","message":"Login failed: user 'testuser' , wrong password, IP:10.1
47.161.168","level":2,"time":"2014-05-05T20:04:05+05:00"}
{"app":"core","message":"Login failed: user 'testuser' , wrong password, IP:10.1
47.161.168","level":2,"time":"2014-05-05T20:04:09+05:00"}
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-05T20:09:36+05:00"}
{"app":"core","message":"Login failed: user 'junaidmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-05T22:07:15+05:00"}
{"app":"core","message":"Login failed: user 'junaidmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-05T22:07:21+05:00"}
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T15:16:00+05:00"}
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T15:16:05+05:00"}
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T15:16:09+05:00"}
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T15:16:13+05:00"}
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T15:16:16+05:00"}

06
 

Rickle

Member
Joined
Aug 14, 2013
Messages
38
Looks like fail2ban sees and acts on the bad passwords, according to the logs. It might be the action it takes that is not working. That is... Adding the ip to the firewall using table 1.
List the firewall rules to see if your ip is there. (should only be for 600sec, then it should be auto removed)


Sent from my Nexus 4 using Tapatalk
 
Status
Not open for further replies.
Top