Difference between revisions of "Fail2ban/nextcloud"
From SETV Springfield Technical Wiki
m |
m (Tag: Visual edit) |
||
| Line 49: | Line 49: | ||
<nowiki>#</nowiki> deny and log everything | <nowiki>#</nowiki> deny and log everything | ||
$IPF 500 deny log all from any to any | $IPF 500 deny log all from any to any | ||
| − | SAVE | + | ''SAVE'' |
== Set Up Fail2Ban == | == Set Up Fail2Ban == | ||
| Line 60: | Line 60: | ||
cp jail.conf jail.local | cp jail.conf jail.local | ||
| − | Edit jail.local | + | ==== Edit jail.local ==== |
| − | |||
Insert at very bottom: | Insert at very bottom: | ||
| Line 71: | Line 70: | ||
port = 80,443 | port = 80,443 | ||
protocol = tcp | protocol = tcp | ||
| − | SAVE | + | ''SAVE'' |
| + | |||
| + | ==== Add ssh.conf to jail.d ==== | ||
Now we need to enable SSH Fail2Ban | Now we need to enable SSH Fail2Ban | ||
<code>cd /usr/local/etc/fail2ban/jail.d</code> | <code>cd /usr/local/etc/fail2ban/jail.d</code> | ||
| Line 83: | Line 84: | ||
ignoreip = [insert SSD net IPs] | ignoreip = [insert SSD net IPs] | ||
maxretry = 3 | maxretry = 3 | ||
| − | SAVE | + | ''SAVE'' |
| + | |||
| + | ==== Add nextcloud.conf to filter.d ==== | ||
<code>cd /usr/loca/etc/fail2ban/filter.d</code> | <code>cd /usr/loca/etc/fail2ban/filter.d</code> | ||
| + | |||
<code> nano nextcloud.conf</code> | <code> nano nextcloud.conf</code> | ||
[Definition] | [Definition] | ||
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"} | failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"} | ||
ignoreregex = | ignoreregex = | ||
| − | SAVE | + | ''SAVE'' |
| + | ** '''''MAKE SURE 'failregex' is ALL ONE LINE!''''' | ||
| + | |||
| + | ==== Setup action.d for Nextcloud and SSH ==== | ||
<code>cd /usr/local/etc/fail2ban/action.d</code> | <code>cd /usr/local/etc/fail2ban/action.d</code> | ||
cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf | cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf | ||
| Line 95: | Line 102: | ||
in each new *.conf file | in each new *.conf file | ||
| − | FIND: | + | |
| + | '''FIND:''' | ||
| + | |||
<code>actionban =</code> | <code>actionban =</code> | ||
| − | ADD AFTER '=' (replacing anything already there) | + | |
| + | '''ADD AFTER '='''' ''(replacing anything already there)'' | ||
| + | |||
<code>ipfw table 1 add <ip></code> | <code>ipfw table 1 add <ip></code> | ||
| − | FIND: | + | '''FIND:''' |
| + | |||
<code>actionunban =</code> | <code>actionunban =</code> | ||
| − | ADD AFTER '=' (replacing anything already there) | + | |
| + | '''ADD AFTER '='''' ''(replacing anything already there)'' | ||
| + | |||
<code>ipfw table 1 delete <ip></code> | <code>ipfw table 1 delete <ip></code> | ||
| − | |||
| + | ''SAVE'' | ||
| + | |||
| + | === Enable Logging in NC and SSHD === | ||
Lastly, enable SSH and Nextcloud logging: | Lastly, enable SSH and Nextcloud logging: | ||
| Line 114: | Line 130: | ||
Change: | Change: | ||
# Logging | # Logging | ||
| − | # obsoletes QuietMode and FascistLogging | + | <nowiki>#</nowiki> obsoletes QuietMode and FascistLogging |
| − | # SyslogFacility AUTH | + | <nowiki>#</nowiki> SyslogFacility AUTH |
| − | # LogLevel INFO | + | <nowiki>#</nowiki> LogLevel INFO |
TO: | TO: | ||
| Line 123: | Line 139: | ||
SyslogFacility AUTH | SyslogFacility AUTH | ||
LogLevel INFO | LogLevel INFO | ||
| − | SAVE | + | ''SAVE'' |
<code> cd /usr/local/www/apache24/data/nextcloud/config</code> | <code> cd /usr/local/www/apache24/data/nextcloud/config</code> | ||
| + | |||
<code> nano config.php </code> | <code> nano config.php </code> | ||
| − | FIND: | + | |
| + | '''FIND:''' | ||
| + | |||
<code> 'logtimezone' </code> | <code> 'logtimezone' </code> | ||
| − | ABOVE THAT LINE ADD: | + | |
| + | '''ABOVE THAT LINE ADD:''' | ||
| + | |||
<code> 'log_authfailip' => true, </code> | <code> 'log_authfailip' => true, </code> | ||
SAVE | SAVE | ||
| − | Restart services | + | == Restart services == |
service apache24 restart | service apache24 restart | ||
service sshd restart | service sshd restart | ||
Revision as of 18:03, 26 September 2016
This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail.
Contents
Set Up IPFW
FreeNAS' jail uses IPFW as the basic firewall.
Add these lines at the bottom of: /etc/rc.conf
Code:
firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules" fail2ban_enable="YES"
SAVE
MAKE the ipfw.rules file:
/usr/local/etc/ipfw.rules
Edit IPFW Rules
Edit rules file /usr/local/etc/ipfw.rules
Code:
IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag # statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 80 allow icmp from any to any #firewall rule used by Fail2Ban to block traffic $IPF 90 deny all from 'table(1)' to any # open port DNS (53) # http (80), https (443) etc $IPF 150 allow tcp from any to any 443 in $IPF 160 allow tcp from any to any 443 out $IPF 170 allow udp from any to any 53 in $IPF 175 allow tcp from any to any 53 in $IPF 180 allow udp from any to any 53 out $IPF 185 allow tcp from any to any 53 out $IPF 200 allow tcp from any to any 80 in $IPF 210 allow tcp from any to any 80 out $IPF 220 allow tcp from any to any 22 in $IPF 230 allow tcp from any to any 22 out # deny and log everything $IPF 500 deny log all from any to any
SAVE
Set Up Fail2Ban
Install Fail2Ban
pkg install security/py-fail2ban
Configuration
cd /usr/local/etc/fail2ban cp fail2ban.conf fail2ban.local cp jail.conf jail.local
Edit jail.local
Insert at very bottom:
enabled = true filter = nextcloud action = ipfw-nextcloud logpath = /usr/local/www/apache24/data/nextcloud/data/nextcloud.log maxretry = 3 port = 80,443 protocol = tcp
SAVE
Add ssh.conf to jail.d
Now we need to enable SSH Fail2Ban
cd /usr/local/etc/fail2ban/jail.d
nano sshd.conf
[ssh-ipfw] enabled = true filter = sshd action = ipfw-sshd logpath = /var/log/auth.log ignoreip = [insert SSD net IPs] maxretry = 3
SAVE
Add nextcloud.conf to filter.d
cd /usr/loca/etc/fail2ban/filter.d
nano nextcloud.conf
[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
ignoreregex =
SAVE
- MAKE SURE 'failregex' is ALL ONE LINE!
Setup action.d for Nextcloud and SSH
cd /usr/local/etc/fail2ban/action.d
cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-sshd.conf
in each new *.conf file
FIND:
actionban =
ADD AFTER '=' (replacing anything already there)
ipfw table 1 add <ip>
FIND:
actionunban =
ADD AFTER '=' (replacing anything already there)
ipfw table 1 delete <ip>
SAVE
Enable Logging in NC and SSHD
Lastly, enable SSH and Nextcloud logging:
cd /etc/ssh
nano sshd_config
FIND:
LOGGING
Change:
# Logging # obsoletes QuietMode and FascistLogging # SyslogFacility AUTH # LogLevel INFO
TO:
# Logging # obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO
SAVE
cd /usr/local/www/apache24/data/nextcloud/config
nano config.php
FIND:
'logtimezone'
ABOVE THAT LINE ADD:
'log_authfailip' => true,
SAVE
Restart services
service apache24 restart service sshd restart service ipfw restart service fail2ban start
If all goes will, you should see something like:
2016-09-26 13:58:00,261 fail2ban.server [69039]: INFO Starting Fail2ban v0.9.4.dev0 2016-09-26 13:58:00,262 fail2ban.server [69039]: INFO Starting in daemon mode
Any errors, check /var/log/fail2ban.log for further info, and google what you find.
