Fail2ban/nextcloud

This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail.

Set Up IPFW

FreeNAS' jail uses IPFW as the basic firewall.

Add these lines at the bottom of: /etc/rc.conf

Code:

firewall_enable="YES"    
firewall_script="/usr/local/etc/ipfw.rules"
fail2ban_enable="YES"  

SAVE

MAKE the ipfw.rules file:

/usr/local/etc/ipfw.rules

Edit IPFW Rules

Edit rules file /usr/local/etc/ipfw.rules

Code:

IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
#firewall rule used by Fail2Ban to block traffic
$IPF 90 deny all from 'table(1)' to any
# open port DNS (53)
# http (80), https (443) etc
$IPF 150 allow tcp from any to any 443 in
$IPF 160 allow tcp from any to any 443 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 220 allow tcp from any to any 22 in
$IPF 230 allow tcp from any to any 22 out
# deny and log everything
$IPF 500 deny log all from any to any

SAVE

Set Up Fail2Ban

Install Fail2Ban

pkg install security/py-fail2ban

Configuration

cd /usr/local/etc/fail2ban 
cp fail2ban.conf fail2ban.local 
cp jail.conf jail.local

Edit jail.local

Insert at very bottom:

enabled  = true 
filter  = nextcloud 
action  = ipfw-nextcloud 
logpath  = /usr/local/www/apache24/data/nextcloud/data/nextcloud.log 
maxretry = 3 
port = 80,443 
protocol = tcp

SAVE

Add ssh.conf to jail.d

Now we need to enable SSH Fail2Ban cd /usr/local/etc/fail2ban/jail.d

nano sshd.conf

[ssh-ipfw]
enabled  = true
filter   = sshd
action   = ipfw-sshd
logpath  = /var/log/auth.log
ignoreip = [insert SSD net IPs]
maxretry = 3

SAVE

Add nextcloud.conf to filter.d

cd /usr/loca/etc/fail2ban/filter.d

nano nextcloud.conf

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
ignoreregex =

SAVE

• • MAKE SURE 'failregex' is ALL ONE LINE!

Setup action.d for Nextcloud and SSH

cd /usr/local/etc/fail2ban/action.d

cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf
cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-sshd.conf

in each new *.conf file

FIND:

actionban =

ADD AFTER '=' (replacing anything already there)

ipfw table 1 add <ip>

FIND:

actionunban =

ADD AFTER '=' (replacing anything already there)

ipfw table 1 delete <ip>

SAVE

Enable Logging in NC and SSHD

Lastly, enable SSH and Nextcloud logging:

cd /etc/ssh nano sshd_config FIND: LOGGING Change:

# Logging
# obsoletes QuietMode and FascistLogging
# SyslogFacility AUTH
# LogLevel INFO

TO:

# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

SAVE

cd /usr/local/www/apache24/data/nextcloud/config

nano config.php

FIND:

'logtimezone'

ABOVE THAT LINE ADD:

'log_authfailip' => true, SAVE

Restart services

service apache24 restart
service sshd restart
service ipfw restart
service fail2ban start

If all goes will, you should see something like:

2016-09-26 13:58:00,261 fail2ban.server         [69039]: INFO    Starting Fail2ban v0.9.4.dev0
2016-09-26 13:58:00,262 fail2ban.server         [69039]: INFO    Starting in daemon mode

Any errors, check /var/log/fail2ban.log for further info, and google what you find.