Difference between revisions of "Fail2ban/nextcloud"
From SETV Springfield Technical Wiki
(Created page with "This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail. == Set Up IPFW == FreeNAS' jail uses IPFW as the basic firewall. Add this line in: <co...") |
m (Tag: Visual edit) |
||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail. | + | This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail. <ref>https://forums.freenas.org/index.php?threads/install-and-setup-fail2ban-on-owncloud-portsjail.19216/</ref><ref>https://forums.freebsd.org/threads/23734/</ref><ref>https://forum.owncloud.org/viewtopic.php?t=28678</ref> |
== Set Up IPFW == | == Set Up IPFW == | ||
FreeNAS' jail uses IPFW as the basic firewall. | FreeNAS' jail uses IPFW as the basic firewall. | ||
| − | Add | + | Add these lines at the bottom of: <code>/etc/rc.conf</code> |
Code: | Code: | ||
| Line 10: | Line 10: | ||
firewall_script="/usr/local/etc/ipfw.rules" | firewall_script="/usr/local/etc/ipfw.rules" | ||
fail2ban_enable="YES" | fail2ban_enable="YES" | ||
| + | SAVE | ||
| + | |||
MAKE the ipfw.rules file: | MAKE the ipfw.rules file: | ||
<code>/usr/local/etc/ipfw.rules</code> | <code>/usr/local/etc/ipfw.rules</code> | ||
| − | + | === Edit IPFW Rules === | |
| + | Edit rules file <code>/usr/local/etc/ipfw.rules</code> | ||
Code: | Code: | ||
| Line 20: | Line 23: | ||
IPF="ipfw -q add" | IPF="ipfw -q add" | ||
ipfw -q -f flush | ipfw -q -f flush | ||
| − | #loopback | + | <nowiki>#</nowiki>loopback |
$IPF 10 allow all from any to any via lo0 | $IPF 10 allow all from any to any via lo0 | ||
$IPF 20 deny all from any to 127.0.0.0/8 | $IPF 20 deny all from any to 127.0.0.0/8 | ||
$IPF 30 deny all from 127.0.0.0/8 to any | $IPF 30 deny all from 127.0.0.0/8 to any | ||
$IPF 40 deny tcp from any to any frag | $IPF 40 deny tcp from any to any frag | ||
| − | # statefull | + | <nowiki>#</nowiki> statefull |
$IPF 50 check-state | $IPF 50 check-state | ||
$IPF 60 allow tcp from any to any established | $IPF 60 allow tcp from any to any established | ||
$IPF 70 allow all from any to any out keep-state | $IPF 70 allow all from any to any out keep-state | ||
$IPF 80 allow icmp from any to any | $IPF 80 allow icmp from any to any | ||
| − | #firewall rule used by Fail2Ban to block traffic | + | <nowiki>#</nowiki>firewall rule used by Fail2Ban to block traffic |
$IPF 90 deny all from 'table(1)' to any | $IPF 90 deny all from 'table(1)' to any | ||
| − | # open port DNS (53) | + | <nowiki>#</nowiki> open port DNS (53) |
| − | # http (80), https (443) etc | + | <nowiki>#</nowiki> http (80), https (443) etc |
$IPF 150 allow tcp from any to any 443 in | $IPF 150 allow tcp from any to any 443 in | ||
$IPF 160 allow tcp from any to any 443 out | $IPF 160 allow tcp from any to any 443 out | ||
| Line 44: | Line 47: | ||
$IPF 220 allow tcp from any to any 22 in | $IPF 220 allow tcp from any to any 22 in | ||
$IPF 230 allow tcp from any to any 22 out | $IPF 230 allow tcp from any to any 22 out | ||
| − | # deny and log everything | + | <nowiki>#</nowiki> deny and log everything |
$IPF 500 deny log all from any to any | $IPF 500 deny log all from any to any | ||
| + | ''SAVE'' | ||
| + | == Set Up Fail2Ban == | ||
| + | |||
| + | === Install Fail2Ban === | ||
| + | <code>pkg install security/py-fail2ban</code> | ||
| + | |||
| + | === Configuration === | ||
| + | cd /usr/local/etc/fail2ban | ||
| + | cp fail2ban.conf fail2ban.local | ||
| + | cp jail.conf jail.local | ||
| + | |||
| + | ==== Edit jail.local ==== | ||
| + | Insert at very bottom: | ||
| + | |||
| + | enabled = true | ||
| + | filter = nextcloud | ||
| + | action = ipfw-nextcloud | ||
| + | logpath = /usr/local/www/apache24/data/nextcloud/data/nextcloud.log | ||
| + | maxretry = 3 | ||
| + | port = 80,443 | ||
| + | protocol = tcp | ||
| + | ''SAVE'' | ||
| + | |||
| + | ==== Add ssh.conf to jail.d ==== | ||
| + | Now we need to enable SSH Fail2Ban | ||
| + | <code>cd /usr/local/etc/fail2ban/jail.d</code> | ||
| + | |||
| + | <code>nano sshd.conf</code> | ||
| + | [ssh-ipfw] | ||
| + | enabled = true | ||
| + | filter = sshd | ||
| + | action = ipfw-sshd | ||
| + | logpath = /var/log/auth.log | ||
| + | ignoreip = [insert SSD net IPs] | ||
| + | maxretry = 3 | ||
| + | ''SAVE'' | ||
| + | |||
| + | ==== Add nextcloud.conf to filter.d ==== | ||
| + | <code>cd /usr/loca/etc/fail2ban/filter.d</code> | ||
| + | |||
| + | <code> nano nextcloud.conf</code> | ||
| + | [Definition] | ||
| + | failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"} | ||
| + | ignoreregex = | ||
| + | ''SAVE'' | ||
| + | ** '''''MAKE SURE 'failregex' is ALL ONE LINE!''''' | ||
| + | |||
| + | ==== Setup action.d for Nextcloud and SSH ==== | ||
| + | <code>cd /usr/local/etc/fail2ban/action.d</code> | ||
| + | cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf | ||
| + | cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-sshd.conf | ||
| + | |||
| + | in each new *.conf file | ||
| + | |||
| + | '''FIND:''' | ||
| + | |||
| + | <code>actionban =</code> | ||
| + | |||
| + | '''ADD AFTER '='''' ''(replacing anything already there)'' | ||
| + | |||
| + | <code>ipfw table 1 add <ip></code> | ||
| + | |||
| + | '''FIND:''' | ||
| + | |||
| + | <code>actionunban =</code> | ||
| + | |||
| + | '''ADD AFTER '='''' ''(replacing anything already there)'' | ||
| + | |||
| + | <code>ipfw table 1 delete <ip></code> | ||
| + | |||
| + | ''SAVE'' | ||
| + | |||
| + | === Enable Logging in NC and SSHD === | ||
| + | Lastly, enable SSH and Nextcloud logging: | ||
| + | |||
| + | <code> cd /etc/ssh</code> | ||
| + | <code> nano sshd_config</code> | ||
| + | FIND: | ||
| + | <code>LOGGING</code> | ||
| + | Change: | ||
| + | # Logging | ||
| + | <nowiki>#</nowiki> obsoletes QuietMode and FascistLogging | ||
| + | <nowiki>#</nowiki> SyslogFacility AUTH | ||
| + | <nowiki>#</nowiki> LogLevel INFO | ||
| + | |||
| + | TO: | ||
| + | # Logging | ||
| + | # obsoletes QuietMode and FascistLogging | ||
| + | SyslogFacility AUTH | ||
| + | LogLevel INFO | ||
| + | ''SAVE'' | ||
| + | |||
| + | <code> cd /usr/local/www/apache24/data/nextcloud/config</code> | ||
| + | |||
| + | <code> nano config.php </code> | ||
| + | |||
| + | '''FIND:''' | ||
| + | |||
| + | <code> 'logtimezone' </code> | ||
| + | |||
| + | '''ABOVE THAT LINE ADD:''' | ||
| + | |||
| + | <code> 'log_authfailip' => true, </code> | ||
| + | SAVE | ||
| + | |||
| + | == Restart services == | ||
| + | service apache24 restart | ||
| + | service sshd restart | ||
| + | service ipfw restart | ||
| + | service fail2ban start | ||
| + | |||
| + | If all goes will, you should see something like: | ||
| + | |||
| + | 2016-09-26 13:58:00,261 fail2ban.server [69039]: INFO Starting Fail2ban v0.9.4.dev0 | ||
| + | 2016-09-26 13:58:00,262 fail2ban.server [69039]: INFO Starting in daemon mode | ||
| + | |||
| + | Any errors, check <code>/var/log/fail2ban.log</code> for further info, and google what you find. | ||
| + | [[Category:SETV Guides]] | ||
Latest revision as of 18:06, 26 September 2016
This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail. [1][2][3]
Contents
Set Up IPFW
FreeNAS' jail uses IPFW as the basic firewall.
Add these lines at the bottom of: /etc/rc.conf
Code:
firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules" fail2ban_enable="YES"
SAVE
MAKE the ipfw.rules file:
/usr/local/etc/ipfw.rules
Edit IPFW Rules
Edit rules file /usr/local/etc/ipfw.rules
Code:
IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag # statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 80 allow icmp from any to any #firewall rule used by Fail2Ban to block traffic $IPF 90 deny all from 'table(1)' to any # open port DNS (53) # http (80), https (443) etc $IPF 150 allow tcp from any to any 443 in $IPF 160 allow tcp from any to any 443 out $IPF 170 allow udp from any to any 53 in $IPF 175 allow tcp from any to any 53 in $IPF 180 allow udp from any to any 53 out $IPF 185 allow tcp from any to any 53 out $IPF 200 allow tcp from any to any 80 in $IPF 210 allow tcp from any to any 80 out $IPF 220 allow tcp from any to any 22 in $IPF 230 allow tcp from any to any 22 out # deny and log everything $IPF 500 deny log all from any to any
SAVE
Set Up Fail2Ban
Install Fail2Ban
pkg install security/py-fail2ban
Configuration
cd /usr/local/etc/fail2ban cp fail2ban.conf fail2ban.local cp jail.conf jail.local
Edit jail.local
Insert at very bottom:
enabled = true filter = nextcloud action = ipfw-nextcloud logpath = /usr/local/www/apache24/data/nextcloud/data/nextcloud.log maxretry = 3 port = 80,443 protocol = tcp
SAVE
Add ssh.conf to jail.d
Now we need to enable SSH Fail2Ban
cd /usr/local/etc/fail2ban/jail.d
nano sshd.conf
[ssh-ipfw] enabled = true filter = sshd action = ipfw-sshd logpath = /var/log/auth.log ignoreip = [insert SSD net IPs] maxretry = 3
SAVE
Add nextcloud.conf to filter.d
cd /usr/loca/etc/fail2ban/filter.d
nano nextcloud.conf
[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
ignoreregex =
SAVE
- MAKE SURE 'failregex' is ALL ONE LINE!
Setup action.d for Nextcloud and SSH
cd /usr/local/etc/fail2ban/action.d
cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-sshd.conf
in each new *.conf file
FIND:
actionban =
ADD AFTER '=' (replacing anything already there)
ipfw table 1 add <ip>
FIND:
actionunban =
ADD AFTER '=' (replacing anything already there)
ipfw table 1 delete <ip>
SAVE
Enable Logging in NC and SSHD
Lastly, enable SSH and Nextcloud logging:
cd /etc/ssh
nano sshd_config
FIND:
LOGGING
Change:
# Logging # obsoletes QuietMode and FascistLogging # SyslogFacility AUTH # LogLevel INFO
TO:
# Logging # obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO
SAVE
cd /usr/local/www/apache24/data/nextcloud/config
nano config.php
FIND:
'logtimezone'
ABOVE THAT LINE ADD:
'log_authfailip' => true,
SAVE
Restart services
service apache24 restart service sshd restart service ipfw restart service fail2ban start
If all goes will, you should see something like:
2016-09-26 13:58:00,261 fail2ban.server [69039]: INFO Starting Fail2ban v0.9.4.dev0 2016-09-26 13:58:00,262 fail2ban.server [69039]: INFO Starting in daemon modeAny errors, check
/var/log/fail2ban.log for further info, and google what you find.
