Difference between revisions of "Fail2ban/nextcloud"
m |
m (Tag: Visual edit) |
||
(4 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail. | + | This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail. <ref>https://forums.freenas.org/index.php?threads/install-and-setup-fail2ban-on-owncloud-portsjail.19216/</ref><ref>https://forums.freebsd.org/threads/23734/</ref><ref>https://forum.owncloud.org/viewtopic.php?t=28678</ref> |
== Set Up IPFW == | == Set Up IPFW == | ||
Line 49: | Line 49: | ||
<nowiki>#</nowiki> deny and log everything | <nowiki>#</nowiki> deny and log everything | ||
$IPF 500 deny log all from any to any | $IPF 500 deny log all from any to any | ||
− | SAVE | + | ''SAVE'' |
== Set Up Fail2Ban == | == Set Up Fail2Ban == | ||
Line 60: | Line 60: | ||
cp jail.conf jail.local | cp jail.conf jail.local | ||
− | Edit jail.local | + | ==== Edit jail.local ==== |
− | |||
Insert at very bottom: | Insert at very bottom: | ||
Line 71: | Line 70: | ||
port = 80,443 | port = 80,443 | ||
protocol = tcp | protocol = tcp | ||
− | SAVE | + | ''SAVE'' |
+ | |||
+ | ==== Add ssh.conf to jail.d ==== | ||
Now we need to enable SSH Fail2Ban | Now we need to enable SSH Fail2Ban | ||
<code>cd /usr/local/etc/fail2ban/jail.d</code> | <code>cd /usr/local/etc/fail2ban/jail.d</code> | ||
Line 83: | Line 84: | ||
ignoreip = [insert SSD net IPs] | ignoreip = [insert SSD net IPs] | ||
maxretry = 3 | maxretry = 3 | ||
− | SAVE | + | ''SAVE'' |
+ | |||
+ | ==== Add nextcloud.conf to filter.d ==== | ||
<code>cd /usr/loca/etc/fail2ban/filter.d</code> | <code>cd /usr/loca/etc/fail2ban/filter.d</code> | ||
+ | |||
<code> nano nextcloud.conf</code> | <code> nano nextcloud.conf</code> | ||
[Definition] | [Definition] | ||
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"} | failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"} | ||
ignoreregex = | ignoreregex = | ||
− | SAVE | + | ''SAVE'' |
+ | ** '''''MAKE SURE 'failregex' is ALL ONE LINE!''''' | ||
+ | |||
+ | ==== Setup action.d for Nextcloud and SSH ==== | ||
<code>cd /usr/local/etc/fail2ban/action.d</code> | <code>cd /usr/local/etc/fail2ban/action.d</code> | ||
cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf | cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf | ||
Line 95: | Line 102: | ||
in each new *.conf file | in each new *.conf file | ||
− | FIND: | + | |
+ | '''FIND:''' | ||
+ | |||
<code>actionban =</code> | <code>actionban =</code> | ||
− | ADD AFTER '=' (replacing anything already there) | + | |
+ | '''ADD AFTER '='''' ''(replacing anything already there)'' | ||
+ | |||
<code>ipfw table 1 add <ip></code> | <code>ipfw table 1 add <ip></code> | ||
− | FIND: | + | '''FIND:''' |
+ | |||
<code>actionunban =</code> | <code>actionunban =</code> | ||
− | ADD AFTER '=' (replacing anything already there) | + | |
+ | '''ADD AFTER '='''' ''(replacing anything already there)'' | ||
+ | |||
<code>ipfw table 1 delete <ip></code> | <code>ipfw table 1 delete <ip></code> | ||
− | |||
+ | ''SAVE'' | ||
+ | |||
+ | === Enable Logging in NC and SSHD === | ||
Lastly, enable SSH and Nextcloud logging: | Lastly, enable SSH and Nextcloud logging: | ||
Line 114: | Line 130: | ||
Change: | Change: | ||
# Logging | # Logging | ||
− | # obsoletes QuietMode and FascistLogging | + | <nowiki>#</nowiki> obsoletes QuietMode and FascistLogging |
− | # SyslogFacility AUTH | + | <nowiki>#</nowiki> SyslogFacility AUTH |
− | # LogLevel INFO | + | <nowiki>#</nowiki> LogLevel INFO |
TO: | TO: | ||
Line 123: | Line 139: | ||
SyslogFacility AUTH | SyslogFacility AUTH | ||
LogLevel INFO | LogLevel INFO | ||
− | SAVE | + | ''SAVE'' |
<code> cd /usr/local/www/apache24/data/nextcloud/config</code> | <code> cd /usr/local/www/apache24/data/nextcloud/config</code> | ||
+ | |||
<code> nano config.php </code> | <code> nano config.php </code> | ||
− | FIND: | + | |
+ | '''FIND:''' | ||
+ | |||
<code> 'logtimezone' </code> | <code> 'logtimezone' </code> | ||
− | ABOVE THAT LINE ADD: | + | |
+ | '''ABOVE THAT LINE ADD:''' | ||
+ | |||
<code> 'log_authfailip' => true, </code> | <code> 'log_authfailip' => true, </code> | ||
SAVE | SAVE | ||
− | Restart services | + | == Restart services == |
service apache24 restart | service apache24 restart | ||
service sshd restart | service sshd restart | ||
Line 145: | Line 166: | ||
Any errors, check <code>/var/log/fail2ban.log</code> for further info, and google what you find. | Any errors, check <code>/var/log/fail2ban.log</code> for further info, and google what you find. | ||
+ | [[Category:SETV Guides]] |
Latest revision as of 18:06, 26 September 2016
This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail. [1][2][3]
Contents
Set Up IPFW
FreeNAS' jail uses IPFW as the basic firewall.
Add these lines at the bottom of: /etc/rc.conf
Code:
firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules" fail2ban_enable="YES"
SAVE
MAKE the ipfw.rules file:
/usr/local/etc/ipfw.rules
Edit IPFW Rules
Edit rules file /usr/local/etc/ipfw.rules
Code:
IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag # statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 80 allow icmp from any to any #firewall rule used by Fail2Ban to block traffic $IPF 90 deny all from 'table(1)' to any # open port DNS (53) # http (80), https (443) etc $IPF 150 allow tcp from any to any 443 in $IPF 160 allow tcp from any to any 443 out $IPF 170 allow udp from any to any 53 in $IPF 175 allow tcp from any to any 53 in $IPF 180 allow udp from any to any 53 out $IPF 185 allow tcp from any to any 53 out $IPF 200 allow tcp from any to any 80 in $IPF 210 allow tcp from any to any 80 out $IPF 220 allow tcp from any to any 22 in $IPF 230 allow tcp from any to any 22 out # deny and log everything $IPF 500 deny log all from any to any
SAVE
Set Up Fail2Ban
Install Fail2Ban
pkg install security/py-fail2ban
Configuration
cd /usr/local/etc/fail2ban cp fail2ban.conf fail2ban.local cp jail.conf jail.local
Edit jail.local
Insert at very bottom:
enabled = true filter = nextcloud action = ipfw-nextcloud logpath = /usr/local/www/apache24/data/nextcloud/data/nextcloud.log maxretry = 3 port = 80,443 protocol = tcp
SAVE
Add ssh.conf to jail.d
Now we need to enable SSH Fail2Ban
cd /usr/local/etc/fail2ban/jail.d
nano sshd.conf
[ssh-ipfw] enabled = true filter = sshd action = ipfw-sshd logpath = /var/log/auth.log ignoreip = [insert SSD net IPs] maxretry = 3
SAVE
Add nextcloud.conf to filter.d
cd /usr/loca/etc/fail2ban/filter.d
nano nextcloud.conf
[Definition] failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"} ignoreregex =
SAVE
- MAKE SURE 'failregex' is ALL ONE LINE!
Setup action.d for Nextcloud and SSH
cd /usr/local/etc/fail2ban/action.d
cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-sshd.conf
in each new *.conf file
FIND:
actionban =
ADD AFTER '=' (replacing anything already there)
ipfw table 1 add <ip>
FIND:
actionunban =
ADD AFTER '=' (replacing anything already there)
ipfw table 1 delete <ip>
SAVE
Enable Logging in NC and SSHD
Lastly, enable SSH and Nextcloud logging:
cd /etc/ssh
nano sshd_config
FIND:
LOGGING
Change:
# Logging # obsoletes QuietMode and FascistLogging # SyslogFacility AUTH # LogLevel INFO
TO:
# Logging # obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO
SAVE
cd /usr/local/www/apache24/data/nextcloud/config
nano config.php
FIND:
'logtimezone'
ABOVE THAT LINE ADD:
'log_authfailip' => true,
SAVE
Restart services
service apache24 restart service sshd restart service ipfw restart service fail2ban start
If all goes will, you should see something like:
2016-09-26 13:58:00,261 fail2ban.server [69039]: INFO Starting Fail2ban v0.9.4.dev0 2016-09-26 13:58:00,262 fail2ban.server [69039]: INFO Starting in daemon modeAny errors, check
/var/log/fail2ban.log
for further info, and google what you find.