HowTo: fail2ban and ownCloud 8.x + 9.0.x

Tutorials on ownCloud administration
Forum rules
The forums were migrated over to https://central.owncloud.org which is based on the forum software Discourse. The forums here is put into read-only mode starting from today.

More background information about this move and the reasoning behind it is available in this blogpost:

https://daniel.molkentin.net/2016/07/20 ... d-central/
RealRancor
ownCloud master
Posts: 17381
Joined: Sat May 26, 2012 3:00 pm
ownCloud version: 9.0.2
Webserver: nginx
Database: MySQL
OS: Linux
PHP version: 7.0.x

HowTo: fail2ban and ownCloud 8.x + 9.0.x

Postby RealRancor » Mon Jun 08, 2015 8:32 pm

What: Configure fail2ban to watch the failed logins of your ownCloud instance

Source: Collected from: viewtopic.php?f=31&t=26336

Target: Tested on ownCloud 8.0.3, 8.1.0, 8.2.0 and 9.0.0 on Debian (Jessie)

How:

1. Create a file /etc/fail2ban/filter.d/owncloud.conf with the following content:

oC 8.2.0 + 9.0.0

Code: Select all

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}

ignoreregex =


oC 8.1.0

Code: Select all

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*"}

ignoreregex =


oC 8.0.3

Code: Select all

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}

ignoreregex =


2. Edit /etc/fail2ban/jail.local and insert:

Code: Select all

[owncloud]
enabled = true
filter  = owncloud
# select http, https or both, depending on which you use:
port    =  http,https
# edit the logpath to your needs:
logpath = /var/www/owncloud/data/owncloud.log


3. If your system is not running on UTC make sure the following config/config.php option is matching the timezone of your system:

https://github.com/owncloud/core/blob/v ... #L494-L498

4. (Optional) When running OC 7.0.1 or below make sure the following config/config.php option is set to true:

https://github.com/owncloud/core/blob/v ... #L188-L189

5. Restart fail2ban

service fail2ban restart

6. Bonus

You can test your fail2ban setup like:

Code: Select all

fail2ban-regex /var/www/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud.conf -v




Example Logfiles:

oC 9.0.0 with default loglevel 2

Code: Select all

{"reqId":"wlioIFa6pOvt6DIAoeHE","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2016-04-12T22:28:20+02:00","method":"POST","url":"\/","user":"--"}


oC 8.2.0 with default loglevel 2

Code: Select all

{"reqId":"prLlx9+QIfl1jHtz9C5o","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2015-07-08T12:12:41+02:00"}


oC 8.2.0 with loglevel 0

Code: Select all

{"reqId":"wLP7a3MdzTo8wgCWret9","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2015-07-15T09:40:35+02:00","method":"POST","url":"\/"}


oC 8.1.0 with default loglevel 2

Code: Select all

{"reqId":"prLlx9+QIfl1jHtz9C5o","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1)","level":2,"time":"2015-07-08T12:12:41+02:00"}


oC 8.1.0 with loglevel 0

Code: Select all

{"reqId":"wLP7a3MdzTo8wgCWret9","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1)","level":2,"time":"2015-07-15T09:40:35+02:00","method":"POST","url":"\/"}


OC 8.0.3 with default loglevel 2

Code: Select all

{"reqId":"f7906a8355f496e3a1947d7839c4a2c3","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:17:43+00:00"}


OC 8.0.3 with loglevel 0

Code: Select all

{"reqId":"9f8edc5558b2b4f8628663d83a092a7f","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:19:02+00:00","method":"POST","url":"\/cloud\/index.php"}


OC 7.0.5 with default loglevel 2

Code: Select all

{"app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:16:29+00:00"}


OC 7.0.5 with loglevel 0

Code: Select all

{"reqId":"5576a04643d8e","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:13:58+00:00","method":"POST","url":"\/owncloud\/index.php"}


OC 7.0.1 with default loglevel 2

Code: Select all

{"app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:10:29+00:00"}


OC 7.0.1 with loglevel 0

Code: Select all

{"reqId":"55769fcacd1e0","app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:11:54+00:00","method":"POST","url":"\/owncloud\/index.php"}
Last edited by RealRancor on Thu Oct 22, 2015 5:44 pm, edited 4 times in total.
*gone*

RealRancor
ownCloud master
Posts: 17381
Joined: Sat May 26, 2012 3:00 pm
ownCloud version: 9.0.2
Webserver: nginx
Database: MySQL
OS: Linux
PHP version: 7.0.x

Re: HowTo: fail2ban and ownCloud 8.0

Postby RealRancor » Tue Jun 09, 2015 10:30 am

Just added some log examples. Please note that the failregex above is only tested on OC 8.0.3. If you're running an older version of oC you might need to modify the regex to match the logging behavior of your version.
*gone*

deyavi
Newbie
Posts: 1
Joined: Tue Jun 09, 2015 9:47 pm

Re: HowTo: fail2ban and ownCloud 8.0

Postby deyavi » Tue Jun 09, 2015 9:51 pm

Is there any way to enable logging for failed password in public shares?
I don't get anything logged when I enter a wrong password, so I cannot use fail2ban to prevent brute force attacks in public shares.

RealRancor
ownCloud master
Posts: 17381
Joined: Sat May 26, 2012 3:00 pm
ownCloud version: 9.0.2
Webserver: nginx
Database: MySQL
OS: Linux
PHP version: 7.0.x

Re: HowTo: fail2ban and ownCloud 8.0

Postby RealRancor » Tue Jun 09, 2015 10:03 pm

Hi,

if this is not logged create a feature request for this at:

https://github.com/owncloud/core/issues
*gone*

RealRancor
ownCloud master
Posts: 17381
Joined: Sat May 26, 2012 3:00 pm
ownCloud version: 9.0.2
Webserver: nginx
Database: MySQL
OS: Linux
PHP version: 7.0.x

Re: HowTo: fail2ban and ownCloud 8.0

Postby RealRancor » Wed Jul 08, 2015 10:52 pm

For all oC 8.1 users please try:

Code: Select all

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*""}

ignoreregex =
*gone*

darphbobo
Beginner
Posts: 10
Joined: Tue Jun 30, 2015 1:39 pm
ownCloud version: 8.0.2
Webserver: Apache
Database: MySQL
OS: Linux

Re: HowTo: fail2ban and ownCloud 8.x

Postby darphbobo » Thu Jul 09, 2015 9:40 am

I think the last <"> is one too many.

It's working for me like that:

Code: Select all

{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*"}

RealRancor
ownCloud master
Posts: 17381
Joined: Sat May 26, 2012 3:00 pm
ownCloud version: 9.0.2
Webserver: nginx
Database: MySQL
OS: Linux
PHP version: 7.0.x

Re: HowTo: fail2ban and ownCloud 8.x

Postby RealRancor » Thu Jul 09, 2015 10:10 am

Ah, yes. Good catch. Have tested the new syntax and works as expected.
*gone*

domih
Newbie
Posts: 2
Joined: Wed Jul 29, 2015 3:06 pm

Re: HowTo: fail2ban and ownCloud 8.x

Postby domih » Wed Jul 29, 2015 11:37 pm

With your help and this tutorial (german, sry) I could make my fail2ban work. My OwnCloud instance is configured to write log entries to syslog.
The syslog entries look like this:

Code: Select all

Jul 28 23:54:09 ownserv01 ownCloud[1164]: {core} Login failed: 'hackeruser' (Remote IP: '203.132.88.231)

Here is my working and tested regex:

Code: Select all

failregex = .*ownCloud.*Login failed: '.*' \(Remote IP: '<HOST>\)


Btw, I'm using owncloud in a subpath in nginx and with the trusted domain feature in OwnCloud and this seems to make the login URL really hard to guess for attackers (until it is posted somewhere public). So this seems a quite cool and awesome security feature.

dersch
Beginner
Posts: 14
Joined: Sat Aug 08, 2015 11:23 pm
ownCloud version: 9.0.0
Webserver: Apache
Database: MySQL
OS: Linux
PHP version: PHP5

Re: HowTo: fail2ban and ownCloud 8.x

Postby dersch » Tue Aug 11, 2015 12:34 pm

I have the feeling it is not working in my case:

Ownlocud.log:

Code: Select all

Warning   core   Login failed: 'User' (Remote IP: '2.150.5.192)   2015-08-11T09:34:27+00:00
Warning   core   Login failed: 'User' (Remote IP: '2.150.5.192)   2015-08-11T09:34:12+00:00
Warning   core   Login failed: 'User' (Remote IP: '2.150.5.192)   2015-08-11T09:33:26+00:00
Warning   core   Login failed: 'User' (Remote IP: '2.150.5.192)   2015-08-11T09:33:10+00:00
Error   PHP   Undefined index: REQUEST_URI at /var/www/owncloud/apps/contacts/appinfo/app.php#35   2015-08-11T09:30:07+00:00
Warning   core   Login failed: 'User' (Remote IP: '2.150.5.192)   2015-08-11T09:28:11+00:00


fail2ban/jail.local

Code: Select all

[owncloud]
enabled = true
filter  = owncloud
port    =  http,https #or only https if running only that
logpath = /mnt/secure/owncloud/data/owncloud.log


Test command: fail2ban-regex /mnt/secure/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud.conf -v
Output:

Code: Select all

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/owncloud.conf
Use         log file : /mnt/secure/owncloud/data/owncloud.log


Results
=======

Failregex: 43 total
|-  #) [# of hits] regular expression
|   1) [43] {"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*"}
|      192.168.10.186  Sat Aug 08 22:29:23 2015
|      192.168.10.186  Sat Aug 08 22:29:45 2015
|      192.168.10.186  Sat Aug 08 22:29:46 2015
|      192.168.10.186  Sat Aug 08 22:29:57 2015
|      192.168.10.186  Sat Aug 08 22:29:58 2015
|      192.168.10.186  Sat Aug 08 22:29:59 2015
|      192.168.10.186  Sat Aug 08 22:29:59 2015
|      192.168.10.186  Sat Aug 08 22:30:02 2015
|      192.168.10.186  Sat Aug 08 22:30:25 2015
|      192.168.10.186  Sat Aug 08 22:30:32 2015
|      192.168.10.186  Sat Aug 08 22:30:35 2015
|      192.168.10.186  Sat Aug 08 22:30:37 2015
|      192.168.10.186  Sat Aug 08 22:30:38 2015
|      192.168.10.186  Sat Aug 08 22:30:39 2015
|      192.168.10.186  Sat Aug 08 22:30:40 2015
|      192.168.10.186  Sat Aug 08 22:30:40 2015
|      192.168.10.186  Sat Aug 08 22:30:41 2015
|      192.168.10.153  Sun Aug 09 00:03:31 2015
|      192.168.10.153  Sun Aug 09 00:03:40 2015
|      87.167.31.81  Sun Aug 09 09:56:35 2015
|      87.167.31.81  Sun Aug 09 09:57:48 2015
|      87.167.31.81  Sun Aug 09 09:58:11 2015
|      87.167.31.81  Sun Aug 09 10:02:28 2015
|      87.167.31.81  Sun Aug 09 10:02:47 2015
|      87.167.31.81  Sun Aug 09 10:03:19 2015
|      87.167.31.81  Sun Aug 09 10:08:50 2015
|      87.167.31.81  Sun Aug 09 10:09:30 2015
|      87.167.31.81  Sun Aug 09 10:09:43 2015
|      87.167.31.81  Sun Aug 09 10:11:37 2015
|      87.167.31.81  Sun Aug 09 11:49:12 2015
|      87.167.31.81  Sun Aug 09 11:49:17 2015
|      87.167.31.81  Sun Aug 09 11:49:21 2015
|      87.167.31.81  Sun Aug 09 11:49:28 2015
|      192.168.10.165  Sun Aug 09 13:03:30 2015
|      192.168.10.165  Sun Aug 09 13:13:35 2015
|      87.167.20.85  Mon Aug 10 16:11:04 2015
|      192.168.10.165  Mon Aug 10 19:11:21 2015
|      192.168.10.165  Mon Aug 10 19:11:55 2015
|      2.150.5.192  Tue Aug 11 10:28:11 2015
|      2.150.5.192  Tue Aug 11 10:33:10 2015
|      2.150.5.192  Tue Aug 11 10:33:26 2015
|      2.150.5.192  Tue Aug 11 10:34:12 2015
|      2.150.5.192  Tue Aug 11 10:34:27 2015
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [87638] ISO 8601
|  [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second
|  [0] MONTH Day Hour:Minute:Second
|  [0] Year/Month/Day Hour:Minute:Second
|  [0] Day/Month/Year Hour:Minute:Second
|  [0] Day/Month/Year2 Hour:Minute:Second
|  [0] Day/MONTH/Year:Hour:Minute:Second
|  [0] Month/Day/Year:Hour:Minute:Second
|  [0] Year-Month-Day Hour:Minute:Second[,subsecond]
|  [0] Year-Month-Day Hour:Minute:Second
|  [0] Year.Month.Day Hour:Minute:Second
|  [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
|  [0] Day-Month-Year Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
|  [0] TAI64N
|  [0] Epoch
|  [0] Hour:Minute:Second
|  [0] <Month/Day/Year@Hour:Minute:Second>
|  [0] YearMonthDay Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second
`-

Lines: 87638 lines, 0 ignored, 43 matched, 87595 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 87595 lines


Fail2Ban.log:

Code: Select all

2015-08-10 11:53:56,621 fail2ban.filter : INFO   Added logfile = /mnt/secure/owncloud/data/owncloud.log
2015-08-10 11:53:56,621 fail2ban.filter : INFO   Set maxRetry = 3
2015-08-10 11:53:56,622 fail2ban.filter : INFO   Set findtime = 600
2015-08-10 11:53:56,622 fail2ban.actions: INFO   Set banTime = 900
2015-08-10 11:53:56,626 fail2ban.jail   : INFO   Jail 'ssh' started
2015-08-10 11:53:56,627 fail2ban.jail   : INFO   Jail 'ssh-ddos' started
2015-08-10 11:53:56,628 fail2ban.jail   : INFO   Jail 'apache' started
2015-08-10 11:53:56,629 fail2ban.jail   : INFO   Jail 'apache-multiport' started
2015-08-10 11:53:56,629 fail2ban.jail   : INFO   Jail 'apache-noscript' started
2015-08-10 11:53:56,630 fail2ban.jail   : INFO   Jail 'apache-overflows' started
2015-08-10 11:53:56,632 fail2ban.jail   : INFO   Jail 'nginx-http-auth' started
2015-08-10 11:53:56,633 fail2ban.jail   : INFO   Jail 'proftpd' started
2015-08-10 11:53:56,633 fail2ban.jail   : INFO   Jail 'owncloud' started
2015-08-10 14:09:44,553 fail2ban.actions: WARNING [ssh] Ban 173.243.115.131
2015-08-10 14:09:44,929 fail2ban.actions: WARNING [ssh] Ban 173.243.115.131
2015-08-10 14:24:45,218 fail2ban.actions: WARNING [ssh] Unban 173.243.115.131
2015-08-10 14:34:47,046 fail2ban.actions: WARNING [ssh] Ban 218.93.122.141
2015-08-10 14:34:47,662 fail2ban.actions: WARNING [ssh] Ban 218.93.122.141
2015-08-10 14:49:48,338 fail2ban.actions: WARNING [ssh] Unban 218.93.122.141
2015-08-10 15:32:53,691 fail2ban.actions: WARNING [ssh] Ban 24.97.197.131
2015-08-10 15:32:54,239 fail2ban.actions: WARNING [ssh] Ban 24.97.197.131
2015-08-10 15:47:54,906 fail2ban.actions: WARNING [ssh] Unban 24.97.197.131
2015-08-10 16:01:51,510 fail2ban.actions: WARNING [ssh] Ban 66.143.207.23
2015-08-10 16:01:51,982 fail2ban.actions: WARNING [ssh] Ban 66.143.207.23
2015-08-10 16:16:52,170 fail2ban.actions: WARNING [ssh] Unban 66.143.207.23
2015-08-10 19:51:33,251 fail2ban.actions: WARNING [ssh] Ban 121.40.131.143
2015-08-10 19:51:33,682 fail2ban.actions: WARNING [ssh] Ban 121.40.131.143
2015-08-10 20:06:34,378 fail2ban.actions: WARNING [ssh] Unban 121.40.131.143
2015-08-10 20:34:46,184 fail2ban.actions: WARNING [ssh] Ban 5.134.255.55
2015-08-10 20:34:46,590 fail2ban.actions: WARNING [ssh] Ban 5.134.255.55
2015-08-10 20:49:47,274 fail2ban.actions: WARNING [ssh] Unban 5.134.255.55
2015-08-10 23:40:36,493 fail2ban.actions: WARNING [ssh] Ban 190.181.31.38
2015-08-10 23:40:36,835 fail2ban.actions: WARNING [ssh] Ban 190.181.31.38
2015-08-10 23:42:20,589 fail2ban.actions: WARNING [ssh] Ban 61.219.228.2
2015-08-10 23:42:20,930 fail2ban.actions: WARNING [ssh] Ban 61.219.228.2
2015-08-10 23:55:37,532 fail2ban.actions: WARNING [ssh] Unban 190.181.31.38
2015-08-10 23:57:21,622 fail2ban.actions: WARNING [ssh] Unban 61.219.228.2
2015-08-11 02:57:20,375 fail2ban.actions: WARNING [ssh] Ban 130.211.185.166
2015-08-11 02:57:20,440 fail2ban.actions: WARNING [ssh] Ban 130.211.185.166
2015-08-11 03:12:20,928 fail2ban.actions: WARNING [ssh] Unban 130.211.185.166


- As you can see the owncloud rule has been started with fail2ban.
- As you can see the owncloud.log had 5 LogIn Failures but the Rule is 3.
- As you can see the fail2ban.log did not Ban the IP at that time.

What can be the failure?

RealRancor
ownCloud master
Posts: 17381
Joined: Sat May 26, 2012 3:00 pm
ownCloud version: 9.0.2
Webserver: nginx
Database: MySQL
OS: Linux
PHP version: 7.0.x

Re: HowTo: fail2ban and ownCloud 8.x

Postby RealRancor » Tue Aug 11, 2015 1:01 pm

Mostly a timezone issue within PHP as fail2ban-regex is catching the failed logins.
*gone*


  • Similar Topics
    Replies
    Views
    Last post

Return to “Tutorials”

Who is online

Users browsing this forum: No registered users and 1 guest