Fail2ban/nextcloud

This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail. ^[1][2][3]

Set Up IPFW

FreeNAS' jail uses IPFW as the basic firewall.

Add these lines at the bottom of: /etc/rc.conf

Code:

firewall_enable="YES"    
firewall_script="/usr/local/etc/ipfw.rules"
fail2ban_enable="YES"  

SAVE

MAKE the ipfw.rules file:

/usr/local/etc/ipfw.rules

Edit IPFW Rules

Edit rules file /usr/local/etc/ipfw.rules

Code:

IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
#firewall rule used by Fail2Ban to block traffic
$IPF 90 deny all from 'table(1)' to any
# open port DNS (53)
# http (80), https (443) etc
$IPF 150 allow tcp from any to any 443 in
$IPF 160 allow tcp from any to any 443 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 220 allow tcp from any to any 22 in
$IPF 230 allow tcp from any to any 22 out
# deny and log everything
$IPF 500 deny log all from any to any

SAVE

Set Up Fail2Ban

Install Fail2Ban

pkg install security/py-fail2ban

Configuration

cd /usr/local/etc/fail2ban 
cp fail2ban.conf fail2ban.local 
cp jail.conf jail.local

Edit jail.local

Insert at very bottom:

enabled  = true 
filter  = nextcloud 
action  = ipfw-nextcloud 
logpath  = /usr/local/www/apache24/data/nextcloud/data/nextcloud.log 
maxretry = 3 
port = 80,443 
protocol = tcp

SAVE

Add ssh.conf to jail.d

Now we need to enable SSH Fail2Ban cd /usr/local/etc/fail2ban/jail.d

nano sshd.conf

[ssh-ipfw]
enabled  = true
filter   = sshd
action   = ipfw-sshd
logpath  = /var/log/auth.log
ignoreip = [insert SSD net IPs]
maxretry = 3

SAVE

Add nextcloud.conf to filter.d

cd /usr/loca/etc/fail2ban/filter.d

nano nextcloud.conf

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
ignoreregex =

SAVE

• • MAKE SURE 'failregex' is ALL ONE LINE!

Setup action.d for Nextcloud and SSH

cd /usr/local/etc/fail2ban/action.d

cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf
cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-sshd.conf

in each new *.conf file

FIND:

actionban =

ADD AFTER '=' (replacing anything already there)

ipfw table 1 add <ip>

FIND:

actionunban =

ADD AFTER '=' (replacing anything already there)

ipfw table 1 delete <ip>

SAVE

Enable Logging in NC and SSHD

Lastly, enable SSH and Nextcloud logging:

cd /etc/ssh nano sshd_config FIND: LOGGING Change:

# Logging
# obsoletes QuietMode and FascistLogging
# SyslogFacility AUTH
# LogLevel INFO

TO:

# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

SAVE

cd /usr/local/www/apache24/data/nextcloud/config

nano config.php

FIND:

'logtimezone'

ABOVE THAT LINE ADD:

'log_authfailip' => true, SAVE

Restart services

service apache24 restart
service sshd restart
service ipfw restart
service fail2ban start

If all goes will, you should see something like:

2016-09-26 13:58:00,261 fail2ban.server         [69039]: INFO    Starting Fail2ban v0.9.4.dev0
2016-09-26 13:58:00,262 fail2ban.server         [69039]: INFO    Starting in daemon mode

Any errors, check /var/log/fail2ban.log for further info, and google what you find.

1. Jump up ↑ https://forums.freenas.org/index.php?threads/install-and-setup-fail2ban-on-owncloud-portsjail.19216/
2. Jump up ↑ https://forums.freebsd.org/threads/23734/
3. Jump up ↑ https://forum.owncloud.org/viewtopic.php?t=28678