Install and Setup Fail2Ban on OwnCloud portsjail

Status
Not open for further replies.

MuneebMufti

Dabbler
Joined
May 5, 2014
Messages
36
thank you for the quick response. The IP was there too back then i just retried and here is what i get on list ipfw table 1 command

10.147.161.168/32 0

thats my laptops IP but i can still try as many times as i want and i dont get banned
 

Rickle

Dabbler
Joined
Aug 14, 2013
Messages
38
thank you for the quick response. The IP was there too back then i just retried and here is what i get on list ipfw table 1 command

10.147.161.168/32 0

thats my laptops IP but i can still try as many times as i want and i dont get banned

Please check your firewall rules to make sure table 1 is listed as deny

Ipfw list

Ex: deny ip fron table (1) to any


thank you for the quick response. The IP was there too back then i just retried and here is what i get on list ipfw table 1 command

10.147.161.168/32 0

thats my laptops IP but i can still try as many times as i want and i dont get banned


Sent from my Nexus 4 using Tapatalk
 

MuneebMufti

Dabbler
Joined
May 5, 2014
Messages
36
i used your guide and i made the ipfw.rules files according to your directions. the line is there

#firewall rule used by Fail2Ban to block traffic
$IPF 90 deny all from 'table(1)' to any

here is the full text of my file ipfw.rules located at /usr/local/etc/

Code:
IPF="ipfw -q add"                                                             
ipfw -q -f flush                                                               
#loopback                                                                     
$IPF 10 allow all from any to any via lo0                                     
$IPF 20 deny all from any to 127.0.0.0/8                                       
$IPF 30 deny all from 127.0.0.0/8 to any                                       
$IPF 40 deny tcp from any to any frag                                         
# statefull                                                                   
$IPF 50 check-state                                                           
$IPF 60 allow tcp from any to any established                                 
$IPF 70 allow all from any to any out keep-state                               
$IPF 80 allow icmp from any to any                                             
                                                                               
#firewall rule used by Fail2Ban to block traffic                               
$IPF 90 deny all from 'table(1)' to any                                       
                                                                               
# open port DNS (53)     
# http (80), https (443) etc                                                   
$IPF 150 allow tcp from any to any 443 in                                     
$IPF 160 allow tcp from any to any 443 out                                     
$IPF 170 allow udp from any to any 53 in                                       
$IPF 175 allow tcp from any to any 53 in                                       
$IPF 180 allow udp from any to any 53 out                                     
$IPF 185 allow tcp from any to any 53 out                                     
$IPF 200 allow tcp from any to any 80 in                                       
$IPF 210 allow tcp from any to any 80 out                                     
# deny and log everything                                                     
$IPF 500 deny log all from any to any  
 

Rickle

Dabbler
Joined
Aug 14, 2013
Messages
38
Please restart your services, there might be something holding fail2ban up.

Do:
Service nginx restart
Service fail2ban restart
Service ipfw restart

Sent from my Nexus 4 using Tapatalk
 

MuneebMufti

Dabbler
Joined
May 5, 2014
Messages
36
i did restart of all 3 .

Code:
root@HomeCloud:/ # service nginx restart                                     
Performing sanity check on nginx configuration:                             
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok   
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful 
Stopping nginx.                                                             
Waiting for PIDS: 55007.                                                     
Performing sanity check on nginx configuration:                             
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok   
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful 
Starting nginx.                                                             
root@HomeCloud:/ # service fail2ban restart                                 
Shutdown successful                                                         
2014-05-06 19:00:44,929 fail2ban.server [55049]: INFO    Starting Fail2ban v0.8.
12                                                                           
2014-05-06 19:00:44,930 fail2ban.server [55049]: INFO    Starting in daemon mode
root@HomeCloud:/ # service ipfw restart                                     
net.inet.ip.fw.enable: 1 -> 0                                               
net.inet6.ip6.fw.enable: 1 -> 0                                             
Firewall rules loaded.        


after that I tried multiple wrong attempts . i can still try as many times as i want. here is the new log dump

Code:
 
root@HomeCloud:/ # ipfw table 1 list                                           
10.147.161.168/32 0    
 
Fail2ban.log:
06 19:00:41,585 fail2ban.server [48603]: INFO    Stopping all jails         
06 19:00:42,342 fail2ban.jail  [48603]: INFO    Jail 'owncloud' stopped     
06 19:00:42,343 fail2ban.server [48603]: INFO    Exiting Fail2ban           
06 19:00:45,078 fail2ban.server [55051]: INFO    Changed logging target to /var/
06 19:00:45,078 fail2ban.jail  [55051]: INFO    Creating new jail 'owncloud'
06 19:00:45,080 fail2ban.jail  [55051]: INFO    Jail 'owncloud' uses poller 
06 19:00:45,103 fail2ban.jail  [55051]: INFO    Initiated 'polling' backend 
06 19:00:45,105 fail2ban.filter [55051]: INFO    Added logfile = /files/owncloud
06 19:00:45,105 fail2ban.filter [55051]: INFO    Set maxRetry = 3           
06 19:00:45,106 fail2ban.filter [55051]: INFO    Set findtime = 600         
06 19:00:45,107 fail2ban.actions[55051]: INFO    Set banTime = 600           
06 19:00:45,113 fail2ban.jail  [55051]: INFO    Jail 'owncloud' started     
06 19:01:33,163 fail2ban.actions[55051]: WARNING [owncloud] Ban 10.147.161.168
 
 
owncloud.log:
0.147.161.168","level":2,"time":"2014-05-06T15:53:55+05:00"}                   
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T15:53:57+05:00"}                   
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T15:53:58+05:00"}                   
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T15:53:59+05:00"}                   
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T15:54:01+05:00"}                   
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T15:54:02+05:00"}                   
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T15:54:03+05:00"}                   
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T19:01:28+05:00"}                   
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T19:01:30+05:00"}                   
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T19:01:32+05:00"}                   
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T19:01:33+05:00"}                   
{"app":"core","message":"Login failed: user 'muneebmufti' , wrong password, IP:1
0.147.161.168","level":2,"time":"2014-05-06T19:01:35+05:00"}                   
root@HomeCloud:/ #         
 

mrMuppet

Contributor
Joined
Mar 14, 2014
Messages
192
I tried it with my installation: i can enter multiple wrong passwords. Everytime a enter a wrong one, i can enter a new one after some ms. When i enter the working login then, it stopps working. Firefox waits but nothing happens. So i think you can not enter my site, but with this different behaviour you can find out the right password by brute force. You just have to try many passwords and when the browser suddenly stopps then you know you got the right one. Then you have to wait some minutes and then you can enter...
 

MuneebMufti

Dabbler
Joined
May 5, 2014
Messages
36
I tried it with my installation: i can enter multiple wrong passwords. Everytime a enter a wrong one, i can enter a new one after some ms. When i enter the working login then, it stopps working. Firefox waits but nothing happens. So i think you can not enter my site, but with this different behaviour you can find out the right password by brute force. You just have to try many passwords and when the browser suddenly stopps then you know you got the right one. Then you have to wait some minutes and then you can enter...

I got it working. thank you very much for helping me troubleshoot. BTW I was using actual user ID and wrong pass to try this. eg (userID: testuser , Pass:1234) i was writing testuser in username and anything but 1234 in password section and it kept on letting me try it over and over. I googled Fail2Ban not blocking ip came over another thread and even though that person was using fail2ban on CentOS and for some other purpose and not owncloud he suggested that he fixed the problem by making some changes in file

/usr/local/etc/fail2ban/jail.local

Code:
In Jail.local there is a "backend" option, this can be set to "gamin", "polling" or "auto" which chooses whatever method is available.
 
If I set this to "polling" Fail2Ban started working but "auto" or "gamin"! it didn't.


in my case I checked my jail.local file backend option . it was on auto. I changed it to polling and restarted all services didnt change anything but when i changed to gamin and did another restart right after 3 attempts page cannot be found and owncloud desktop client also stopped working and exactly after 10 mins page was accessible again and client synced automatically. I am a novice when it comes to linux/unix/freeBSD maybe you can shed light on why changing this option worked . Either ways I am happy its fully functional now.

here is a link to that guys thread and his post for reference.
http://www.howtoforge.com/forums/showthread.php?t=37659

on a side note are you using owncloud 6.0.2 or 6.0.3. Initially I installed 6.0.3 using joshua guide and after setting up initial account and other usernames and passwords from my laptop via LAN when I tried opening owncloud from other machines over the internet everywhere I would get the owncloud index page with red text this "You are accessing the server from an untrusted domain. Please contact your administrator. If you are adiminstrator add trused domain in conf file". and the place for enter username and password removed.

I would get this message from whichever system I tried to access owncloud apart from my local LAN system which I used to initally setup owncloud and that system had full access. After wasting alot of time on it I deleted the jail and did fresh install but used owncloud 6.0.2 and the problem was gone. (PS I had used 6.0.1 before over internet on other machines and never encountered this issue but I was using plugin for FreeNAS)
 

Rickle

Dabbler
Joined
Aug 14, 2013
Messages
38
MuneebMufti,
so from this, we see that fail2ban works, as it finds out what ip is misbehaving and it adds it to the firewall to block it.
from what i can tell, it seems to be the firewall that is not doing its job.
are you running the jail with the Vimage setting enabled... i believe the firewall would not work if it were set (or its the other way around, i don't have access to my freenas console right now to confirm) the firewall should not even be able to start, but its something to check.

try pinging the servers IP address from the client while the client IP is added by fail2ban in the firewall.
if you get ping replies, then the firewall is definitely not working.

mrMuppet,
that is not how fai2ban should work.
fail2ban should look at your logs, find misbehaving IP addresses and add them to the local firewall to block them completely for a set amount of time.
I would recommend you review the logs and configurations for fail2ban.
 

MuneebMufti

Dabbler
Joined
May 5, 2014
Messages
36
VIMAGE is enabled... Should I Disable it ? I dont remember Joshua Guide specifying to untick it i left it as default
 

Rickle

Dabbler
Joined
Aug 14, 2013
Messages
38
No, leave Vimage alone if its working :)
that will kill your firewall (i think it unloads network modules and shares them with the host, thus disabling the firewall)

Glad you got it working.
I would have never thought of that... good find.

as for the version of OC i am using, i just upgraded 6.0.2 to 6.0.3 this week end without issues.
 

MuneebMufti

Dabbler
Joined
May 5, 2014
Messages
36
Thanks for the reply and for helping me Troubleshoot. Cheers have a good day :)

No, leave Vimage alone if its working :)
that will kill your firewall (i think it unloads network modules and shares them with the host, thus disabling the firewall)

Glad you got it working.
I would have never thought of that... good find.

as for the version of OC i am using, i just upgraded 6.0.2 to 6.0.3 this week end without issues.
 

mrMuppet

Contributor
Joined
Mar 14, 2014
Messages
192
mrMuppet,
that is not how fai2ban should work.
fail2ban should look at your logs, find misbehaving IP addresses and add them to the local firewall to block them completely for a set amount of time.
I would recommend you review the logs and configurations for fail2ban.

Hmmm... i checked fail2ban.log:
Code:
2014-05-06 21:56:17,430 fail2ban.server [97578]: INFO    Exiting Fail2ban
2014-05-06 21:56:18,397 fail2ban.server [97716]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.12
2014-05-06 21:56:18,397 fail2ban.jail  [97716]: INFO    Creating new jail 'ssh-blocklist'
2014-05-06 21:56:18,398 fail2ban.jail  [97716]: INFO    Jail 'ssh-blocklist' uses poller
2014-05-06 21:56:18,406 fail2ban.jail  [97716]: WARNING Could only initiated 'polling' backend whenever 'gamin' was requested
2014-05-06 21:56:18,407 fail2ban.filter [97716]: INFO    Added logfile = /mnt/files/owncloud.log
2014-05-06 21:56:18,407 fail2ban.filter [97716]: INFO    Set maxRetry = 3
2014-05-06 21:56:18,408 fail2ban.filter [97716]: INFO    Set findtime = 600
2014-05-06 21:56:18,408 fail2ban.actions[97716]: INFO    Set banTime = 600
2014-05-06 21:56:18,410 fail2ban.jail  [97716]: INFO    Jail 'ssh-blocklist' started
2014-05-06 21:56:20,412 fail2ban.actions[97716]: WARNING [ssh-blocklist] Ban 88.XXX.XXX.228
2014-05-06 21:56:20,415 fail2ban.actions[97716]: WARNING [ssh-blocklist] Ban 192.168.178.79
2014-05-06 21:58:32,549 fail2ban.actions[97716]: WARNING [ssh-blocklist] Ban 192.168.178.31


Code:
ipfw table 1 list

lists the correct Ip numbers.

and
Code:
cat /mnt/owncloud.log | grep password
lists my wrong tries:
Code:
{"app":"core","message":"Login failed: user 'Admingf' , wrong password, IP:192.168.178.31","level":2,"time":"2014-05-06T21:58:45+02:00"}
{"app":"core","message":"Login failed: user 'Admingf' , wrong password, IP:192.168.178.31","level":2,"time":"2014-05-06T21:58:57+02:00"}


What is wrong ?

I tried "Gamin" (and installed it via pkg) but nothing changed. Its still not banning as long as i don't reload the page. When i reload it, the page is no longer accessible....
 

MuneebMufti

Dabbler
Joined
May 5, 2014
Messages
36
well after further checking I saw same thing. after 3 attempts page is usually accessible unless you refresh the page then it becomes unavailable. but i had owncloud desktop client running on that system too. that almost instantly breaks. and gamin worked for me. the post I shared something else worked for him and not gamin. I was cycling through all options for backend until i got the needed result
 

Rickle

Dabbler
Joined
Aug 14, 2013
Messages
38
If you have to refresh than it sounds like its working, but your browser might just have cashed the page.

As a test, enter a wrong password until its supoosed to lock. Then try to ping the server... If it cant ping it, then your banned

Sent from my Nexus 4 using Tapatalk
 

MuneebMufti

Dabbler
Joined
May 5, 2014
Messages
36
hey Rickle I need your help 1 more time .I deleted the jail and did a fresh install of owncloud and i followed the same guide but this time i unchecked VIMAGE, NAT and Vanilla . Everything installed smoothly i reached your guide did everything as told but there is some issue with ipfw can you please check and let me know how to fix probably giving error due to ipv6 being disabled. here is what i get when i try to start ipfw service

Code:
sysctl: net.inet6.ip6.fw.enable=0: Operation not permitted                   
ipfw: setsockopt(IP_FW_FLUSH): Operation not permitted                       
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
ipfw: getsockopt(IP_FW_ADD): Operation not permitted                         
Firewall rules loaded.                                                       
/etc/rc.d/ipfw: WARNING: failed to enable IPv4 firewall                     
/etc/rc.d/ipfw: WARNING: failed to enable IPv6 firewall
 

Rickle

Dabbler
Joined
Aug 14, 2013
Messages
38
Re-enable Vimage and restart the jail

Sent from my Nexus 4 using Tapatalk
 

Joshua Parker Ruehlig

Hall of Famer
Joined
Dec 5, 2011
Messages
5,949
this guide is pretty sweet!
 

clamschlauder

Dabbler
Joined
Feb 23, 2013
Messages
26
Update: After hours of searching why my instance was not running correctly I found this piece of info. The way Owncloud logs failed attempts has changed from 7.0.1 to 7.0.2.

The top row is for owncloud <= 7.0.1. The bottom row for owncloud 7.0.2

Code:
failregex = {"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>","level":2,"time":".*"}
            {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}


Source link: http://www.rojtberg.net/711/secure-owncloud-server/
 
Status
Not open for further replies.
Top