[Sucess] ownCloud 6 ldap - fail2ban

Ask all your questions regarding OC 6.x Please read the Support Forum Rules
Forum rules
ownCloud 6.x reached end of life and is officially unsupported. For details see Wiki page.

Please upgrade your ownCloud.
Grisu1
Newbie
Posts: 5
Joined: Sun Nov 24, 2013 2:33 pm
ownCloud version: 5.0.12
Webserver: Apache
Database: MySQL
OS: Linux
PHP version: 5.4.4

[Sucess] ownCloud 6 ldap - fail2ban

Postby Grisu1 » Fri Dec 13, 2013 2:48 pm

Hello,

i have updated to from Version 5 to 6.
then i enabled following line in the config.php:

Code: Select all

'log_authfailip' => true,


OK, i see the "Login failed" line in the owncloud.log:

Code: Select all

{"app":"core","message":"Login failed: user 'grisu' , wrong password, IP:19.108.58.43","level":2,"time":"2013-12-13T13:30:07+01:00"}


must now look like the fail2ban filter entry ?
Last edited by Grisu1 on Sat Dec 14, 2013 12:36 am, edited 1 time in total.

Grisu1
Newbie
Posts: 5
Joined: Sun Nov 24, 2013 2:33 pm
ownCloud version: 5.0.12
Webserver: Apache
Database: MySQL
OS: Linux
PHP version: 5.4.4

[sucess] ownCloud 6 ldap - fail2ban

Postby Grisu1 » Sat Dec 14, 2013 12:36 am

ok found it. sucessfull

my /etc/fail2ban/filter.d/owncloud.conf

Code: Select all

[Definition]
failregex = {"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>.*



my /etc/fail2ban/jail.conf:

Code: Select all

[owncloud-iptables]

enabled  = true
filter   = owncloud
action   = iptables-multiport[name=ownCloud, port="http,https", protocol=tcp]
           sendmail-whois-lines[name=ownCloud, dest= admin@domain.net, sender= fail2ban@domain.net]
logpath  = /var/www/cloud.domain.net/web/data/owncloud.log
maxretry = 3

jmdekin
Newbie
Posts: 2
Joined: Wed Jan 08, 2014 6:09 pm

Re: [sucess] ownCloud 6 ldap - fail2ban

Postby jmdekin » Wed Jan 08, 2014 6:12 pm

Grisu1 wrote:ok found it. sucessfull

my /etc/fail2ban/filter.d/owncloud.conf

Code: Select all

[Definition]
failregex = {"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>.*



my /etc/fail2ban/jail.conf:

Code: Select all

[owncloud-iptables]

enabled  = true
filter   = owncloud
action   = iptables-multiport[name=ownCloud, port="http,https", protocol=tcp]
           sendmail-whois-lines[name=ownCloud, dest= admin@domain.net, sender= fail2ban@domain.net]
logpath  = /var/www/cloud.domain.net/web/data/owncloud.log
maxretry = 3


Thanks for sharing but your code doesnt work.

I get the following error in fail2ban.log

2014-01-08 17:09:05,365 fail2ban.filter : WARNING Unable to find a corresponding IP address for set

When i look at the line:

failregex = {"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>.*[/code]

It misses a } to end the command, can you share where to put that and double check if everything is like it should.

Thanks.

jmdekin
Newbie
Posts: 2
Joined: Wed Jan 08, 2014 6:09 pm

Re: [Sucess] ownCloud 6 ldap - fail2ban

Postby jmdekin » Wed Jan 08, 2014 6:17 pm

Also i get no hits with my regexp, can anyone help me out with this?

Code: Select all

fail2ban-regex /home/johan/owncloud.log /etc/fail2ban/filter.d/owncloud.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/owncloud.conf
Use log file   : /home/johan/owncloud.log


Results
=======

Failregex
|- Regular expressions:
|  [1] {"app":"core","message":"Login failed: user '.*'} , wrong password, IP:<HOST>.*
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.


And my owncloud.log contains this:

Code: Select all

{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:31+00:00"}
{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:32+00:00"}
{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:33+00:00"}
{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:34+00:00"}
{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:35+00:00"}
{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:36+00:00"}
{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:37+00:00"}
{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:37+00:00"}
{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:38+00:00"}
{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:39+00:00"}
{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:40+00:00"}
{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:40+00:00"}
{"app":"core","message":"Login failed: user 'asdsadasdsad' , wrong password, IP:10.30.203.217","level":2,"time":"2014-01-08T16:19:41+00:00"}

jmdeking
Starter
Posts: 64
Joined: Wed Nov 21, 2012 4:24 pm

Re: [Sucess] ownCloud 6 ldap - fail2ban

Postby jmdeking » Thu Jan 09, 2014 12:19 pm

got regex working but fail2ban doesnt ban any IP when hitting it more then 6x with failed login.

Code: Select all

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/owncloud.conf
Use log file   : /var/www/owncloud/data/owncloud.log


Results
=======

Failregex
|- Regular expressions:
|  [1] "app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>.*
|
`- Number of matches:
   [1] 123 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    10.30.203.217 (Wed Jan 08 14:46:57 2014)
    10.30.203.217 (Wed Jan 08 14:46:59 2014)
    10.30.203.217 (Wed Jan 08 14:47:00 2014)
    10.30.203.217 (Wed Jan 08 14:47:01 2014)
    10.30.203.217 (Wed Jan 08 14:47:02 2014)
    10.30.203.217 (Wed Jan 08 14:47:03 2014)
    10.30.203.217 (Wed Jan 08 14:50:43 2014)
    10.30.203.217 (Wed Jan 08 14:50:44 2014)
    10.30.203.217 (Wed Jan 08 14:50:45 2014)
    10.30.203.217 (Wed Jan 08 14:50:46 2014)
    10.30.203.217 (Wed Jan 08 14:50:48 2014)
    10.30.203.217 (Wed Jan 08 14:50:49 2014)
    10.30.203.217 (Wed Jan 08 14:50:50 2014)
    10.30.203.217 (Wed Jan 08 14:50:52 2014)
    10.30.203.217 (Wed Jan 08 14:50:53 2014)
    10.30.203.217 (Wed Jan 08 14:50:54 2014)
    10.30.203.217 (Wed Jan 08 14:50:55 2014)
    10.30.203.217 (Wed Jan 08 14:50:57 2014)
    10.30.203.217 (Wed Jan 08 14:50:58 2014)
    10.30.203.217 (Wed Jan 08 14:50:59 2014)
    10.30.203.217 (Wed Jan 08 14:51:00 2014)
    10.30.203.217 (Wed Jan 08 14:51:03 2014)
    10.30.203.217 (Wed Jan 08 14:51:04 2014)
    10.30.203.217 (Wed Jan 08 14:57:36 2014)
    10.30.203.217 (Wed Jan 08 15:01:57 2014)
    10.30.203.217 (Wed Jan 08 15:01:58 2014)
    10.30.203.217 (Wed Jan 08 15:01:59 2014)
    10.30.203.217 (Wed Jan 08 15:02:00 2014)
    10.30.203.217 (Wed Jan 08 15:02:01 2014)
    10.30.203.217 (Wed Jan 08 15:02:02 2014)
    10.30.203.217 (Wed Jan 08 15:02:03 2014)
    10.30.203.217 (Wed Jan 08 15:02:04 2014)
    10.30.203.217 (Wed Jan 08 15:02:05 2014)
    10.30.203.217 (Wed Jan 08 15:02:06 2014)
    10.30.203.217 (Wed Jan 08 15:02:07 2014)
    10.30.203.217 (Wed Jan 08 15:02:08 2014)
    10.30.203.217 (Wed Jan 08 15:02:08 2014)
    10.30.203.217 (Wed Jan 08 15:02:09 2014)
    10.30.203.217 (Wed Jan 08 15:02:09 2014)
    10.30.203.217 (Wed Jan 08 15:02:10 2014)
    10.30.203.217 (Wed Jan 08 15:02:10 2014)
    10.30.203.217 (Wed Jan 08 15:02:33 2014)
    10.30.203.217 (Wed Jan 08 15:31:17 2014)
    10.30.203.217 (Wed Jan 08 15:31:19 2014)
    10.30.203.217 (Wed Jan 08 15:31:20 2014)
    10.30.203.217 (Wed Jan 08 15:31:21 2014)
    10.30.203.217 (Wed Jan 08 15:31:22 2014)
    10.30.203.217 (Wed Jan 08 15:31:23 2014)
    10.30.203.217 (Wed Jan 08 15:31:24 2014)
    10.30.203.217 (Wed Jan 08 15:31:25 2014)
    10.30.203.217 (Wed Jan 08 15:31:26 2014)
    10.30.203.217 (Wed Jan 08 15:31:27 2014)
    10.30.203.217 (Wed Jan 08 15:31:28 2014)
    10.30.203.217 (Wed Jan 08 15:36:11 2014)
    10.30.203.217 (Wed Jan 08 15:36:14 2014)
    10.30.203.217 (Wed Jan 08 16:15:01 2014)
    10.30.203.217 (Wed Jan 08 16:15:04 2014)
    10.30.203.217 (Wed Jan 08 16:15:05 2014)
    10.30.203.217 (Wed Jan 08 16:15:06 2014)
    10.30.203.217 (Wed Jan 08 16:15:07 2014)
    10.30.203.217 (Wed Jan 08 16:15:08 2014)
    10.30.203.217 (Wed Jan 08 16:15:09 2014)
    10.30.203.217 (Wed Jan 08 16:15:10 2014)
    10.30.203.217 (Wed Jan 08 16:15:11 2014)
    10.30.203.217 (Wed Jan 08 16:15:12 2014)
    10.30.203.217 (Wed Jan 08 16:19:31 2014)
    10.30.203.217 (Wed Jan 08 16:19:32 2014)
    10.30.203.217 (Wed Jan 08 16:19:33 2014)
    10.30.203.217 (Wed Jan 08 16:19:34 2014)
    10.30.203.217 (Wed Jan 08 16:19:35 2014)
    10.30.203.217 (Wed Jan 08 16:19:36 2014)
    10.30.203.217 (Wed Jan 08 16:19:37 2014)
    10.30.203.217 (Wed Jan 08 16:19:37 2014)
    10.30.203.217 (Wed Jan 08 16:19:38 2014)
    10.30.203.217 (Wed Jan 08 16:19:39 2014)
    10.30.203.217 (Wed Jan 08 16:19:40 2014)
    10.30.203.217 (Wed Jan 08 16:19:40 2014)
    10.30.203.217 (Wed Jan 08 16:19:41 2014)
    10.30.203.217 (Thu Jan 09 09:13:22 2014)
    10.30.203.217 (Thu Jan 09 09:13:23 2014)
    10.30.203.217 (Thu Jan 09 09:13:24 2014)
    10.30.203.217 (Thu Jan 09 09:13:25 2014)
    10.30.203.217 (Thu Jan 09 09:13:26 2014)
    10.30.203.217 (Thu Jan 09 09:13:27 2014)
    10.30.203.217 (Thu Jan 09 09:13:28 2014)
    10.30.203.217 (Thu Jan 09 09:47:46 2014)
    10.30.203.217 (Thu Jan 09 09:47:47 2014)
    10.30.203.217 (Thu Jan 09 09:48:05 2014)
    10.30.203.217 (Thu Jan 09 09:48:06 2014)
    10.30.203.217 (Thu Jan 09 09:48:07 2014)
    10.30.203.217 (Thu Jan 09 09:48:08 2014)
    10.30.203.217 (Thu Jan 09 09:48:09 2014)
    10.30.203.217 (Thu Jan 09 09:48:10 2014)
    10.30.203.217 (Thu Jan 09 09:48:11 2014)
    10.30.203.217 (Thu Jan 09 09:48:12 2014)
    10.30.203.217 (Thu Jan 09 09:48:13 2014)
    10.30.203.217 (Thu Jan 09 09:48:14 2014)
    10.30.203.217 (Thu Jan 09 09:48:44 2014)
    10.30.203.217 (Thu Jan 09 09:48:45 2014)
    10.30.203.217 (Thu Jan 09 09:48:46 2014)
    10.30.203.217 (Thu Jan 09 09:48:48 2014)
    10.30.203.217 (Thu Jan 09 09:48:49 2014)
    10.30.203.217 (Thu Jan 09 09:48:49 2014)
    10.30.203.217 (Thu Jan 09 09:48:51 2014)
    10.30.203.217 (Thu Jan 09 09:48:52 2014)
    10.30.203.217 (Thu Jan 09 09:48:53 2014)
    10.30.203.217 (Thu Jan 09 09:48:53 2014)
    10.30.203.217 (Thu Jan 09 09:48:54 2014)
    10.30.203.217 (Thu Jan 09 09:48:55 2014)
    10.30.203.217 (Thu Jan 09 09:48:56 2014)
    10.30.203.217 (Thu Jan 09 09:48:57 2014)
    10.30.203.217 (Thu Jan 09 09:56:07 2014)
    10.30.203.217 (Thu Jan 09 09:56:08 2014)
    10.30.203.217 (Thu Jan 09 09:56:09 2014)
    10.30.203.217 (Thu Jan 09 09:56:10 2014)
    10.30.203.217 (Thu Jan 09 09:56:11 2014)
    10.30.203.217 (Thu Jan 09 09:56:12 2014)
    10.30.203.217 (Thu Jan 09 09:56:13 2014)
    10.30.203.217 (Thu Jan 09 09:56:14 2014)
    10.30.203.217 (Thu Jan 09 09:56:14 2014)
    10.30.203.217 (Thu Jan 09 09:56:15 2014)
    10.30.203.217 (Thu Jan 09 09:56:16 2014)
    127.0.0.1 (Thu Jan 09 09:57:22 2014)

Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
246 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 123

However, look at the above section 'Running tests' which could contain important
information.
[/code]

jajo42
Newbie
Posts: 2
Joined: Fri Jan 10, 2014 12:38 pm
ownCloud version: 6.0.0a
Webserver: nginx
Database: MySQL
OS: Linux

Re: [Sucess] ownCloud 6 ldap - fail2ban

Postby jajo42 » Fri Jan 10, 2014 1:07 pm

i have the same problem. fail2ban get the hits but ip will not be blocked.
anyone found a solution for this?

edit:

i found the problem! fail2ban need actual time in the log file but default log time is UTC.
you can set the time zone in the /config/config.php file like this:

Code: Select all

<?php
$CONFIG = array (
  ...
  ...
  'log_authfailip' => true,
/* timezone used while writing to the owncloud logfile (default: UTC) */
  'logtimezone' => 'Europe/Vienna',
  ...
  ...
);

jmdeking
Starter
Posts: 64
Joined: Wed Nov 21, 2012 4:24 pm

Re: [Sucess] ownCloud 6 ldap - fail2ban

Postby jmdeking » Mon Jan 13, 2014 11:20 am

jajo42 wrote:edit:

i found the problem! fail2ban need actual time in the log file but default log time is UTC.
you can set the time zone in the /config/config.php file like this:

Code: Select all

<?php
$CONFIG = array (
  ...
  ...
  'log_authfailip' => true,
/* timezone used while writing to the owncloud logfile (default: UTC) */
  'logtimezone' => 'Europe/Vienna',
  ...
  ...
);



Dude, you're the best. I'm gonna test this and get back.

Edit/Update: Works like a charm, thanks a lot for replying your solution in this topic.

User avatar
martinma
Beginner
Posts: 38
Joined: Sun Sep 08, 2013 1:24 pm
Webserver: nginx
Database: MySQL
OS: Linux
PHP version: 5.4.4

Re: [Sucess] ownCloud 6 ldap - fail2ban

Postby martinma » Fri Jan 24, 2014 10:56 pm

Implemented and working :-)

Thanks everyone....

JT1301
Newbie
Posts: 3
Joined: Wed Jan 15, 2014 2:03 pm
ownCloud version: 7.0.3
Webserver: Apache
Database: MySQL
OS: Linux

Re: [Sucess] ownCloud 6 ldap - fail2ban

Postby JT1301 » Thu Jan 30, 2014 5:09 pm

Hi there,

is it possible that someone created a howto for this?
I'm not a Linux pro like you all ... :oops:

That would be very helpful.

Thanks!
Regards,
JT

brenard
Newbie
Posts: 1
Joined: Fri Feb 07, 2014 11:24 am
ownCloud version: 6.0.1
Webserver: Apache
Database: MySQL
OS: Linux
PHP version: 5.4.4

Re: [Sucess] ownCloud 6 ldap - fail2ban

Postby brenard » Fri Feb 07, 2014 11:37 am

Hi,

I found a solution to make fail2ban work with OwnCloud 6. Fail2ban have some problems to manage date in ISO8601 format (and time zone info), so the easier solution is to put your OwnCloud log in syslog. To do that, you have to put in your config.php file :

Code: Select all

<?php
$CONFIG = array (
[...]
'log_type' => 'syslog' ,
'log_authfailip' => true,
[...]
);


With that two parameters, on login failed, you have in /var/log/syslog something like that :

Code: Select all

Feb  4 15:58:52 hostname ownCloud[713]: {core} Login failed: user 'test' , wrong password, IP:AAA.BBB.59.105


So now you can add a corresponding filter in Fail2ban configuration. In /etc/fail2ban/filter.d/owncloud.conf put :

Code: Select all

[Definition]
failregex = .*ownCloud.*Login failed:.*, IP:(?P<host>\S*)
ignoreregex =


And now add a jail for OwnCloud in /etc/fail2ban/jail.conf :

Code: Select all

[owncloud]

enabled = true
port = 80,443
protocol = tcp
filter = owncloud
logpath = /var/log/syslog


And "Voilà" !


  • Similar Topics
    Replies
    Views
    Last post

Return to “ownCloud Community Edition 6.x”

Who is online

Users browsing this forum: No registered users and 2 guests