Difference between revisions of "Fail2ban/nextcloud"

From SETV Springfield Technical Wiki
Jump to: navigation, search
m
m
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail.
+
This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail. <ref>https://forums.freenas.org/index.php?threads/install-and-setup-fail2ban-on-owncloud-portsjail.19216/</ref><ref>https://forums.freebsd.org/threads/23734/</ref><ref>https://forum.owncloud.org/viewtopic.php?t=28678</ref>
  
 
== Set Up IPFW ==
 
== Set Up IPFW ==
Line 49: Line 49:
 
  <nowiki>#</nowiki> deny and log everything
 
  <nowiki>#</nowiki> deny and log everything
 
  $IPF 500 deny log all from any to any
 
  $IPF 500 deny log all from any to any
SAVE
+
''SAVE''
 
== Set Up Fail2Ban ==
 
== Set Up Fail2Ban ==
  
Line 60: Line 60:
 
  cp jail.conf jail.local
 
  cp jail.conf jail.local
  
Edit jail.local
+
==== Edit jail.local ====
 
 
 
Insert at very bottom:
 
Insert at very bottom:
  
Line 71: Line 70:
 
  port = 80,443  
 
  port = 80,443  
 
  protocol = tcp
 
  protocol = tcp
SAVE
+
''SAVE''
 +
 
 +
==== Add ssh.conf to jail.d ====
 
Now we need to enable SSH Fail2Ban
 
Now we need to enable SSH Fail2Ban
 
<code>cd /usr/local/etc/fail2ban/jail.d</code>
 
<code>cd /usr/local/etc/fail2ban/jail.d</code>
Line 83: Line 84:
 
  ignoreip = [insert SSD net IPs]
 
  ignoreip = [insert SSD net IPs]
 
  maxretry = 3
 
  maxretry = 3
SAVE
+
''SAVE''
 +
 
 +
==== Add nextcloud.conf to filter.d ====
 
<code>cd /usr/loca/etc/fail2ban/filter.d</code>
 
<code>cd /usr/loca/etc/fail2ban/filter.d</code>
 +
 
<code> nano nextcloud.conf</code>
 
<code> nano nextcloud.conf</code>
 
  [Definition]
 
  [Definition]
 
  failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
 
  failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
 
  ignoreregex =
 
  ignoreregex =
SAVE
+
''SAVE''
 +
** '''''MAKE SURE 'failregex' is ALL ONE LINE!'''''
 +
 
 +
==== Setup action.d for Nextcloud and SSH ====
 
<code>cd /usr/local/etc/fail2ban/action.d</code>
 
<code>cd /usr/local/etc/fail2ban/action.d</code>
 
  cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf
 
  cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf
Line 95: Line 102:
  
 
in each new *.conf file
 
in each new *.conf file
FIND:
+
 
 +
'''FIND:'''
 +
 
 
<code>actionban =</code>
 
<code>actionban =</code>
ADD AFTER '=' (replacing anything already there)
+
 
 +
'''ADD AFTER '='''' ''(replacing anything already there)''
 +
 
 
<code>ipfw table 1 add <ip></code>
 
<code>ipfw table 1 add <ip></code>
  
FIND:
+
'''FIND:'''
 +
 
 
<code>actionunban =</code>
 
<code>actionunban =</code>
ADD AFTER '=' (replacing anything already there)
+
 
 +
'''ADD AFTER '='''' ''(replacing anything already there)''
 +
 
 
<code>ipfw table 1 delete <ip></code>
 
<code>ipfw table 1 delete <ip></code>
SAVE
 
  
 +
''SAVE''
 +
 +
=== Enable Logging in NC and SSHD ===
 
Lastly, enable SSH and Nextcloud logging:
 
Lastly, enable SSH and Nextcloud logging:
  
Line 114: Line 130:
 
Change:
 
Change:
 
  # Logging
 
  # Logging
  # obsoletes QuietMode and FascistLogging
+
  <nowiki>#</nowiki> obsoletes QuietMode and FascistLogging
  # SyslogFacility AUTH
+
  <nowiki>#</nowiki> SyslogFacility AUTH
  # LogLevel INFO
+
  <nowiki>#</nowiki> LogLevel INFO
  
 
TO:
 
TO:
Line 123: Line 139:
 
  SyslogFacility AUTH
 
  SyslogFacility AUTH
 
  LogLevel INFO
 
  LogLevel INFO
SAVE
+
''SAVE''
  
 
<code> cd /usr/local/www/apache24/data/nextcloud/config</code>
 
<code> cd /usr/local/www/apache24/data/nextcloud/config</code>
 +
 
<code> nano config.php </code>
 
<code> nano config.php </code>
FIND:
+
 
 +
'''FIND:'''
 +
 
 
<code> 'logtimezone' </code>
 
<code> 'logtimezone' </code>
ABOVE THAT LINE ADD:
+
 
 +
'''ABOVE THAT LINE ADD:'''
 +
 
 
<code>  'log_authfailip' => true, </code>
 
<code>  'log_authfailip' => true, </code>
 
SAVE
 
SAVE
  
Restart services
+
== Restart services ==
 
  service apache24 restart
 
  service apache24 restart
 
  service sshd restart
 
  service sshd restart
Line 145: Line 166:
  
 
Any errors, check <code>/var/log/fail2ban.log</code> for further info, and google what you find.
 
Any errors, check <code>/var/log/fail2ban.log</code> for further info, and google what you find.
 +
[[Category:SETV Guides]]

Latest revision as of 18:06, 26 September 2016

This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail. [1][2][3]

Set Up IPFW

FreeNAS' jail uses IPFW as the basic firewall.

Add these lines at the bottom of: /etc/rc.conf

Code: 

firewall_enable="YES"    
firewall_script="/usr/local/etc/ipfw.rules"
fail2ban_enable="YES"

SAVE

MAKE the ipfw.rules file:

/usr/local/etc/ipfw.rules

Edit IPFW Rules

Edit rules file /usr/local/etc/ipfw.rules

Code: 

IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
#firewall rule used by Fail2Ban to block traffic
$IPF 90 deny all from 'table(1)' to any
# open port DNS (53)
# http (80), https (443) etc
$IPF 150 allow tcp from any to any 443 in
$IPF 160 allow tcp from any to any 443 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 220 allow tcp from any to any 22 in
$IPF 230 allow tcp from any to any 22 out
# deny and log everything
$IPF 500 deny log all from any to any

SAVE

Set Up Fail2Ban

Install Fail2Ban

pkg install security/py-fail2ban

Configuration

cd /usr/local/etc/fail2ban 
cp fail2ban.conf fail2ban.local 
cp jail.conf jail.local

Edit jail.local

Insert at very bottom: 

enabled  = true 
filter  = nextcloud 
action  = ipfw-nextcloud 
logpath  = /usr/local/www/apache24/data/nextcloud/data/nextcloud.log 
maxretry = 3 
port = 80,443 
protocol = tcp

SAVE

Add ssh.conf to jail.d

Now we need to enable SSH Fail2Ban cd /usr/local/etc/fail2ban/jail.d

nano sshd.conf 

[ssh-ipfw]
enabled  = true
filter   = sshd
action   = ipfw-sshd
logpath  = /var/log/auth.log
ignoreip = [insert SSD net IPs]
maxretry = 3

SAVE

Add nextcloud.conf to filter.d

cd /usr/loca/etc/fail2ban/filter.d

nano nextcloud.conf 

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
ignoreregex =

SAVE

    • MAKE SURE 'failregex' is ALL ONE LINE!

Setup action.d for Nextcloud and SSH

cd /usr/local/etc/fail2ban/action.d 

cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf
cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-sshd.conf

in each new *.conf file

FIND:

actionban =

ADD AFTER '=' (replacing anything already there)

ipfw table 1 add <ip>

FIND:

actionunban =

ADD AFTER '=' (replacing anything already there)

ipfw table 1 delete <ip>

SAVE

Enable Logging in NC and SSHD

Lastly, enable SSH and Nextcloud logging:

cd /etc/ssh nano sshd_config FIND: LOGGING Change: 

# Logging
# obsoletes QuietMode and FascistLogging
# SyslogFacility AUTH
# LogLevel INFO

TO: 

# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

SAVE

cd /usr/local/www/apache24/data/nextcloud/config

nano config.php

FIND:

'logtimezone'

ABOVE THAT LINE ADD:

'log_authfailip' => true, SAVE

Restart services

service apache24 restart
service sshd restart
service ipfw restart
service fail2ban start

If all goes will, you should see something like: 

2016-09-26 13:58:00,261 fail2ban.server         [69039]: INFO    Starting Fail2ban v0.9.4.dev0
2016-09-26 13:58:00,262 fail2ban.server         [69039]: INFO    Starting in daemon mode
Any errors, check /var/log/fail2ban.log for further info, and google what you find.
  1. https://forums.freenas.org/index.php?threads/install-and-setup-fail2ban-on-owncloud-portsjail.19216/
  2. https://forums.freebsd.org/threads/23734/
  3. https://forum.owncloud.org/viewtopic.php?t=28678
Retrieved from "http://wiki.ssdcougars.tv/index.php?title=Fail2ban/nextcloud&oldid=1689"