Fail2ban/nextcloud
This quick guide is designed to show you how to enable Fail2Ban on the NextCloud jail. [1][2][3]
Contents
Set Up IPFW
FreeNAS' jail uses IPFW as the basic firewall.
Add these lines at the bottom of: /etc/rc.conf
Code:
firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules" fail2ban_enable="YES"
SAVE
MAKE the ipfw.rules file:
/usr/local/etc/ipfw.rules
Edit IPFW Rules
Edit rules file /usr/local/etc/ipfw.rules
Code:
IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag # statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 80 allow icmp from any to any #firewall rule used by Fail2Ban to block traffic $IPF 90 deny all from 'table(1)' to any # open port DNS (53) # http (80), https (443) etc $IPF 150 allow tcp from any to any 443 in $IPF 160 allow tcp from any to any 443 out $IPF 170 allow udp from any to any 53 in $IPF 175 allow tcp from any to any 53 in $IPF 180 allow udp from any to any 53 out $IPF 185 allow tcp from any to any 53 out $IPF 200 allow tcp from any to any 80 in $IPF 210 allow tcp from any to any 80 out $IPF 220 allow tcp from any to any 22 in $IPF 230 allow tcp from any to any 22 out # deny and log everything $IPF 500 deny log all from any to any
SAVE
Set Up Fail2Ban
Install Fail2Ban
pkg install security/py-fail2ban
Configuration
cd /usr/local/etc/fail2ban cp fail2ban.conf fail2ban.local cp jail.conf jail.local
Edit jail.local
Insert at very bottom:
enabled = true filter = nextcloud action = ipfw-nextcloud logpath = /usr/local/www/apache24/data/nextcloud/data/nextcloud.log maxretry = 3 port = 80,443 protocol = tcp
SAVE
Add ssh.conf to jail.d
Now we need to enable SSH Fail2Ban
cd /usr/local/etc/fail2ban/jail.d
nano sshd.conf
[ssh-ipfw] enabled = true filter = sshd action = ipfw-sshd logpath = /var/log/auth.log ignoreip = [insert SSD net IPs] maxretry = 3
SAVE
Add nextcloud.conf to filter.d
cd /usr/loca/etc/fail2ban/filter.d
nano nextcloud.conf
[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
ignoreregex =
SAVE
- MAKE SURE 'failregex' is ALL ONE LINE!
Setup action.d for Nextcloud and SSH
cd /usr/local/etc/fail2ban/action.d
cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-nextcloud.conf cp /usr/local/etc/fail2ban/action.d/ipfw.conf /usr/local/etc/fail2ban/action.d/ipfw-sshd.conf
in each new *.conf file
FIND:
actionban =
ADD AFTER '=' (replacing anything already there)
ipfw table 1 add <ip>
FIND:
actionunban =
ADD AFTER '=' (replacing anything already there)
ipfw table 1 delete <ip>
SAVE
Enable Logging in NC and SSHD
Lastly, enable SSH and Nextcloud logging:
cd /etc/ssh
nano sshd_config
FIND:
LOGGING
Change:
# Logging # obsoletes QuietMode and FascistLogging # SyslogFacility AUTH # LogLevel INFO
TO:
# Logging # obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO
SAVE
cd /usr/local/www/apache24/data/nextcloud/config
nano config.php
FIND:
'logtimezone'
ABOVE THAT LINE ADD:
'log_authfailip' => true,
SAVE
Restart services
service apache24 restart service sshd restart service ipfw restart service fail2ban start
If all goes will, you should see something like:
2016-09-26 13:58:00,261 fail2ban.server [69039]: INFO Starting Fail2ban v0.9.4.dev0 2016-09-26 13:58:00,262 fail2ban.server [69039]: INFO Starting in daemon modeAny errors, check
/var/log/fail2ban.log for further info, and google what you find.
