Owncloud not blocking failed logins

[iskear]

I don't know if this if the right forum to ask that question but I got plenty of help here for different things so I might ask:
I have a jail with owncloud and nginx installed. I've configured nginx for perfect forward secrecy (working fine via Qualys SSL Labs - Projects / SSL Server Test ).
The only problem what I see is, that owncloud doesnt blocks IP adresses which failed to login multiple times. Now after 4 days of running my owncloud my server gets heavy access from some IP's, possibly brute forcing the login script. After an hour I realized the increase in traffic and shut it down temporarily.
Now my question: What are my choices? I've read about geo-locking which looks promising but is there any way in addition to block any IP's which failed the login form like 3 times?

 

[DrKK]

I think, sir, you are going to get a visit from a special user named "RussianMafia" very soon.

But in the meantime, I think you'll find installing "fail2ban" is what you want. Here is a good link:

http://www.rojtberg.net/711/secure-owncloud-server/

 

[RussianMafia]

Comrade Iskear:

Your Russian comrades wish you a hearty Zdravstvuyche, and hope that with all of your family is well, da? Do not listen to DrKK who has grown fat on the profits of evil capitalist America. He is, as we say in the glorious Russian language, ебанат. You should not use fail2ban on server, comrade. It is one of the tools the West uses to oppress the great thinkers, like you. fail2ban makes your server wide open to NSA and Mossad. Your idea of use of ban-by-country IP space is a good one, comrade, but I suggest you ban the Amerikanskii and the Canadienskii, as everyone knows they are the source of most of the...how you say...the hacking. As for the many attempts that you see for the logging in, that is merely your friendly Russians merely verifying that you have chosen password wisely. Well done, tovarishch, you can plainly see that your pr0n is quite secure against capitalist intrusion. If you will please provide us with your IP address and log in credentials, we will have Pyotr from our Owncloud department log in and check to make sure that all is good with jail and owncloud and web server da?

 

[iskear]

Thank you, sorry for my late answer. fail2ban looks promising, I think this combined with a general geo-lock of the IP adresses is pretty strong, I've read there is an addon for nginx. I don't understand why owncloud itself doesn't block anything itself....

 

[iskear]

Well, I did exactly as shown in your link http://www.rojtberg.net/711/secure-owncloud-server/
but it's still not blocking anything. In my fail2ban log there are some errors from iptables where I didnt found anything helpful on google.
It looks like that (I copied just the last attempt, the regular file is now around 700 lines but repeating this):

Code:

2015-02-02 20:49:57,768 fail2ban.server         [5504]: ERROR   Unable to remove PID file: [Errno 2] No such file or directory: '/va
r/run/fail2ban/fail2ban.pid'                                                                                                       
2015-02-02 20:49:57,768 fail2ban.server         [5504]: INFO    Exiting Fail2ban                                                   
2015-02-02 20:55:29,673 fail2ban.server         [9350]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
2015-02-02 20:55:29,675 fail2ban.database       [9350]: INFO    Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban
.sqlite3'                                                                                                                          
2015-02-02 20:55:29,730 fail2ban.jail           [9350]: INFO    Creating new jail 'owncloud'                                       
2015-02-02 20:55:29,741 fail2ban.jail           [9350]: INFO    Jail 'owncloud' uses poller                                        
2015-02-02 20:55:29,784 fail2ban.filter         [9350]: INFO    Set jail log file encoding to US-ASCII                             
2015-02-02 20:55:29,784 fail2ban.jail           [9350]: INFO    Initiated 'polling' backend                                        
2015-02-02 20:55:29,862 fail2ban.filter         [9350]: INFO    Added logfile = /var/log/owncloud.log                              
2015-02-02 20:55:29,864 fail2ban.filter         [9350]: INFO    Set maxRetry = 3                                                   
2015-02-02 20:55:29,866 fail2ban.filter         [9350]: INFO    Set jail log file encoding to US-ASCII                             
2015-02-02 20:55:29,867 fail2ban.actions        [9350]: INFO    Set banTime = 2592000                                              
2015-02-02 20:55:29,868 fail2ban.filter         [9350]: INFO    Set findtime = 600                                                 
2015-02-02 20:55:29,932 fail2ban.transmitter    [9350]: WARNING Command ['start', 'owncloud'] has failed. Received TypeError("'NoneT
ype' object has no attribute '__getitem__'",)                                                                                      
2015-02-02 20:55:29,993 fail2ban.action         [9350]: ERROR   iptables -N f2b-owncloud                                           
iptables -A f2b-owncloud -j RETURN                                                                                                 
iptables -I INPUT -p tcp -m multiport --dports 80,443 -j f2b-owncloud -- stdout: ''                                                
2015-02-02 20:55:29,993 fail2ban.action         [9350]: ERROR   iptables -N f2b-owncloud                                           
iptables -A f2b-owncloud -j RETURN                                                                                                 
iptables -I INPUT -p tcp -m multiport --dports 80,443 -j f2b-owncloud -- stderr: 'iptables: not found\niptables: not found\niptables
: not found\n'                                                                                                                     
2015-02-02 20:55:29,993 fail2ban.action         [9350]: ERROR   iptables -N f2b-owncloud                                           
iptables -A f2b-owncloud -j RETURN                                                                                                 
iptables -I INPUT -p tcp -m multiport --dports 80,443 -j f2b-owncloud -- returned 127                                              
2015-02-02 20:55:29,994 fail2ban.action         [9350]: INFO    HINT on 127: "Command not found".  Make sure that all commands in 'i
ptables -N f2b-owncloud\niptables -A f2b-owncloud -j RETURN\niptables -I INPUT -p tcp -m multiport --dports 80,443 -j f2b-owncloud'
are in the PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ). You may want to start "fail2ban
-server -f" separately, initiate it with "fail2ban-client reload" in another shell session and observe if additional informative err
or messages appear in the terminals.                                                                                               
2015-02-02 20:55:29,994 fail2ban.actions        [9350]: ERROR   Failed to start jail 'owncloud' action 'iptables-multiport': Error s
tarting action 

My filter seems to work via fail2ban-regex and when I fail to login enough there are entries like this:

Code:

2015-02-02 21:08:08,688 fail2ban.filter [9350]: INFO Log rotation detected for /var/log/owncloud.log
2015-02-02 21:08:08,689 fail2ban.filter [9350]: INFO [owncloud] Found 10.0.0.20
2015-02-02 21:08:11,743 fail2ban.filter [9350]: INFO [owncloud] Found 10.0.0.20
2015-02-02 21:08:13,793 fail2ban.filter [9350]: INFO [owncloud] Found 10.0.0.20
2015-02-02 21:08:14,758 fail2ban.actions [9350]: NOTICE [owncloud] Ban 10.0.0.20
2015-02-02 21:08:14,864 fail2ban.action [9350]: ERROR iptables -n -L INPUT | grep -q 'f2b-owncloud[ \t]' -- stdout: ''
2015-02-02 21:08:14,864 fail2ban.action [9350]: ERROR iptables -n -L INPUT | grep -q 'f2b-owncloud[ \t]' -- stderr: 'iptab
les: not found\n'
2015-02-02 21:08:14,865 fail2ban.action [9350]: ERROR iptables -n -L INPUT | grep -q 'f2b-owncloud[ \t]' -- returned 1
2015-02-02 21:08:14,865 fail2ban.CommandAction [9350]: ERROR Invariant check failed. Trying to restore a sane environment
2015-02-02 21:08:14,972 fail2ban.action [9350]: ERROR iptables -D INPUT -p tcp -m multiport --dports 80,443 -j f2b-ownclou
d
iptables -F f2b-owncloud
iptables -X f2b-owncloud -- stdout: ''
2015-02-02 21:08:14,972 fail2ban.action [9350]: ERROR iptables -D INPUT -p tcp -m multiport --dports 80,443 -j f2b-ownclou
d
iptables -F f2b-owncloud
iptables -X f2b-owncloud -- stderr: 'iptables: not found\niptables: not found\niptables: not found\n'
2015-02-02 21:08:14,973 fail2ban.action [9350]: ERROR iptables -D INPUT -p tcp -m multiport --dports 80,443 -j f2b-ownclou
d
iptables -F f2b-owncloud
iptables -X f2b-owncloud -- returned 127
2015-02-02 21:08:14,973 fail2ban.action [9350]: INFO HINT on 127: "Command not found". Make sure that all commands in 'i
ptables -D INPUT -p tcp -m multiport --dports 80,443 -j f2b-owncloud\niptables -F f2b-owncloud\niptables -X f2b-owncloud' are in the
PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ). You may want to start "fail2ban-server -f
" separately, initiate it with "fail2ban-client reload" in another shell session and observe if additional informative error message
s appear in the terminals.
2015-02-02 21:08:14,973 fail2ban.actions [9350]: ERROR Failed to execute ban jail 'owncloud' action 'iptables-multiport' in
fo 'CallingMap({'ipjailmatches': <function <lambda> at 0x803eb0ed8>, 'matches': u'{"app":"core","message":"Login failed: \'a\' (Remo
te IP: \'10.0.0.20\', X-Forwarded-For: \'\')","level":2,"time":"2015-02-02T21:08:07+01:00"}\n{"app":"core","message":"Login failed:
\'a\' (Remote IP: \'10.0.0.20\', X-Forwarded-For: \'\')","level":2,"time":"2015-02-02T21:08:11+01:00"}\n{"app":"core","message":"Log
in failed: \'a\' (Remote IP: \'10.0.0.20\', X-Forwarded-For: \'\')","level":2,"time":"2015-02-02T21:08:13+01:00"}', 'ip': '10.0.0.20
', 'ipmatches': <function <lambda> at 0x803eb0de8>, 'ipfailures': <function <lambda> at 0x803eb0f50>, 'time': 1422907694.758043, 'fa
ilures': 3, 'ipjailfailures': <function <lambda> at 0x803ed5050>})': Error stopping action

Maybe you can help me, I tried everything I found via google (thats why the complete file is around 700 lines).
Greetings

 

[iskear]

btw, I just did whereis iptables and got "iptables:". I'm new to FreeBSD and did a little research, do I need to use ipfw instead?

 

[iskear]

got it right with that, this post helped me: https://forums.freenas.org/index.php?threads/install-and-setup-fail2ban-on-owncloud-portsjail.19216/
this forum is awesome!

 

[DrKK]

OK, are you saying you're all up and running now?

 

[iskear]

Well, I got it up and running and when I fail to login fail2ban shows this in the logs and "ipfw table 1 list" shows my ip, so it should be blocked, right? Except I can still ping the server till I execute "service ipfw restart". Then my Ip is blocked and I have to wati 10min (default, I will alter that if it goes fully online). I'm currently looking for solutions for that....

 

[iskear]

Well, I had some spare time and did eveything from scratch using the ports versions instead of the pkg ones. The whole install was 30min but worth it, it now works as intended (ports versions where sometimes newer).

Now with the recent release of OC8 you need a new fail2ban regex, by getting help on the official oc-forum here is a working one (for everybody having the same problem):

Code:

{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}

Thanks to Chakalov at the OC-Forum at this point.

Greatings, Iskear