Rickle
Dabbler
- Joined
- Aug 14, 2013
- Messages
- 38
This guide is to show how I setup Fail2ban on my Owncloud portjail setup.
This will not work with an OwnCloud plugin jail! this is only for manually installed owncloud in a portjail as seen in this post. Thank to Joshua for an awsome tutorial
Fail2Ban will lock out any ip address that fails to provide an appropriate password for 3 attemps.
this will avoid DOS attacks and Brute Force attacks.
Make sure your OwnCloud install is working properly and your configuration files are backed up before proceeding. this allows you to restore to the working state in the event you are having issues with this setup.
add this line in: /etc/rc.conf
edit the ipfw rules file /usr/local/etc/ipfw.rules
test by entering the wrong password more than 3 time
***if it works, your IP will be blocked from your owncloud for 10 minutes***
if it does not work, you may verrify the following
check the fail2ban logs at
check the firewall table to see if an ip has been added
check your owncloud.log for failed login attemps
This will not work with an OwnCloud plugin jail! this is only for manually installed owncloud in a portjail as seen in this post. Thank to Joshua for an awsome tutorial
Fail2Ban will lock out any ip address that fails to provide an appropriate password for 3 attemps.
this will avoid DOS attacks and Brute Force attacks.
Make sure your OwnCloud install is working properly and your configuration files are backed up before proceeding. this allows you to restore to the working state in the event you are having issues with this setup.
Setup IPFW
IPFW (IP firewall) should be installed in the jail by defaultadd this line in: /etc/rc.conf
Code:
firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules" fail2ban_enable="YES"
edit the ipfw rules file /usr/local/etc/ipfw.rules
Code:
IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag # statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 80 allow icmp from any to any #firewall rule used by Fail2Ban to block traffic $IPF 90 deny all from 'table(1)' to any # open port DNS (53) # http (80), https (443) etc $IPF 150 allow tcp from any to any 443 in $IPF 160 allow tcp from any to any 443 out $IPF 170 allow udp from any to any 53 in $IPF 175 allow tcp from any to any 53 in $IPF 180 allow udp from any to any 53 out $IPF 185 allow tcp from any to any 53 out $IPF 200 allow tcp from any to any 80 in $IPF 210 allow tcp from any to any 80 out # deny and log everything $IPF 500 deny log all from any to any
Check your firewall Rules:
Code:
ipfw list
Setup Fail2BAN
Fail2Ban installation:
Code:
pkg install security/py-fail2ban
Configuration:
Code:
cd /usr/local/etc/fail2ban cp fail2ban.conf fail2ban.local cp jail.conf jail.local
add the following to /usr/local/etc/fail2ban/jail.local
make sure to chagne the "logpath" to your owncloud.log location
Code:
enabled = true filter = owncloud action = ipfw-owncloud logpath = /*Change_to_owncloud_data_dir*/owncloud.log maxretry = 3 port = 80,443 protocol = tcp
add the following to /usr/local/etc/fail2ban/filter.d/owncloud.conf
Code:
[Definition] failregex = {"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>.* ignoreregex =
Code:
cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-owncloud.conf
edit the following lines in /usr/local/etc/fail2ban/action.d/ipfw-owncloud.conf
Code:
actionban = ipfw table 1 add <ip> actionunban = ipfw table 1 delete <ip>
this directory will allow the Socket for fail2ban to be created as required in fail2ban.local
Code:
mkdir /var/run/fail2ban
add the following lines to /usr/local/www/owncloud/config/config.php
replace #### with your timezone. see here for possible timezone entries
Code:
'log_authfailip' => true, 'logtimezone' => '####/####',
restart all relevent services:
Code:
service nginx restart service php-fpm restart service fail2ban restart service ipfw restart
test by entering the wrong password more than 3 time
***if it works, your IP will be blocked from your owncloud for 10 minutes***
if it does not work, you may verrify the following
check the fail2ban logs at
Code:
/var/log/fail2ban.log
check the firewall table to see if an ip has been added
Code:
ipfw table 1 list
check your owncloud.log for failed login attemps
Code:
cat /mnt/owncloud.log | grep password