Enhance security with FAIL2BAN
Installation
First, install it in MCC or as root:
# urpmi fail2ban |
The following dependencies will be installed:
Packet Version Revision Arch (media « Core Release ») fail2ban 0.11.2 1.mga8 noarch python3-dnspython 1.16.0 4.mga8 noarch (recommandé) python3-ecdsa 0.16.1 1.mga8 noarch (recommandé) python3-pycryptodome 3.9.8 1.mga8 x86_64 (recommandé) python3-pyinotify 0.9.6 10.mga8 noarch (recommandé) python3-systemd 234 6.mga8 x86_64 |
Enable at boot and start the fail2ban service :
# systemctl enable –now fail2ban |
There are two types of configuration files: * .conf and * .local . The conf files come with the installation of Fail2ban. If you want to make changes to the configuration, you should never edit the conf files directly, as they can be overwritten at any time during an update by Fail2ban. For this, you can use a file with the same name, but with the file extension .local. The local files are loaded “on top” onto the conf files and thus overwrite the default settings. If the conf files are changed in an update of Fail2ban, the individual customizations in the local files are not affected. This means that updating Fail2ban does not inadvertently change the configuration.
General setup
As root, with your favorite text editor, create /etc/fail2ban/jail.local
and paste the following block inside:
# Do all your modifications to the jail’s configuration in jail.local! [DEFAULT] findtime = 1800 # shorewall is Mageia firewall banaction = shorewall # send email action assuming Dragonfly Mail Agent is installed action = %(action_mwl)s mta = mail # This will ignore connection coming from local private network 192.168.x.x ignoreip = 192.168.0.0/16 |
Nextcloud setup
Nextcloud filter
As there is no filter for Nextcloud with the default installation, one is created. As root, create /etc/fail2ban/filter.d/nextcloud.conf
with your favorite text editor.
Paste the following block inside:
[Definition] failregex = ^.*Login failed: ‘?.*’? \(Remote IP: ‘?<HOST>’?\).*$ ^.*\”remoteAddr\”:\”<HOST>\”.*Trusted domain error.*$ ignoreregx = |
Activation of Nextcloud filter
As root, create a new jail file /etc/fail2ban/jail.d/nextcloud.local
with your favorite text editor and paste all the following block inside :
[nextcloud] backend = auto enabled = true port = 80,443 protocol = tcp filter = nextcloud logpath = /data/ncdata/nextcloud.log maxretry = 4 bantime = 360 action = %(action_mwl)s |
Reload rules, as root:
# sudo fail2ban-client reload |
FAIL2BAN test
Here are some tests to check FAIL2BAN works.
First, let us check its jail status by running as root:
# fail2ban-client status |
It shows there is one filter or jail running which is the nextcloud one:
Status |- Number of jail: 1 `- Jail list: nextcloud |
Then, more specifically, let us look at the status and ban history for nextcloud, by running as root:
# fail2ban-client status nextcloud |
Here, nothing has been blocked yet as it returns:
Status for the jail: nextcloud |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /data/ncdata/nextcloud.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: |
So, now, let us check FAIL2BAN detects IP address failing to connect to your Nextcloud server several times. To do so, go to your Nextcloud welcome page with your favorite Web browser and, on purpose, enter twice a wrong password.
Then, as root, run the following command which will go through the Nextcloud log and will apply the nextcloud filter defined in FAIL2BAN:
# fail2ban-regex /data/ncdata/nextcloud.log /etc/fail2ban/filter.d/nextcloud.conf -v |
You will get this output showing the IP ip.x.y.z has failed to connect twice:
Running tests ============= Use failregex filter file : nextcloud, basedir: /etc/fail2ban Use log file : /data/ncdata/nextcloud.log Use encoding : UTF-8 Results ======= Failregex: 2 total |- #) [# of hits] regular expression | 1) [2] ^.*Login failed: ‘?.*’? \(Remote IP: ‘?<HOST>’?\).*$ | ip.x.y.z Wed Jan 06 12:29:18 2021 | ip.x.y.z Wed Jan 06 12:29:20 2021 | 2) [0] ^.*\”remoteAddr\”:\”<HOST>\”.*Trusted domain error.*$ |
Here be dragons! It is recommended to run this test each time you upgrade to a new major version of Nextcloud, in case the log file format has changed. |
Check firewall action and unban
Just before, FAIL2BAN detection was checked. In this section, it will be checked the firewall blocks the IP villain after 4 failures.
If you do this test on the server using its local address to reach Nextcloud, there is default protection in FAIL2BAN to prevent blocking the server IP itself. So, to do this test, add the following at the end of /etc/fail2ban/jail.local
ignoreself = false |
DO NOT FORGET TO REMOVE IT AFTER THE TEST !
If you use a domain or a subdomain address, there is no need to add this line.
Then, simply enter an incorrect password in your Nextcloud login four times. Fail2ban has then banned your IP and you should have received an e-mail if you have configured the mailing (Dma_Dragonfly_Mail_Agent for instance).
To control which IPs are currently banned for Nextcloud, the following command is sufficient, as root:
# fail2ban-client status nextcloud |
returning the expected 4 failed attempts and IP ip.x.y.z is banned:
Status for the jail: nextcloud |- Filter | |- Currently failed: 1 | |- Total failed: 4 | `- File list: /data/ncdata/nextcloud.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: ip.x.y.z |
To check the firewall did bloc the intruder, run as root:
# shorewall show dynamic |
returning:
Shorewall 5.2.8 Chain dynamic at localhost – mer. 06 janv. 2021 15:42:48 CET Counters reset mer. 06 janv. 2021 15:12:22 CET Chain dynamic (1 references) pkts bytes target prot opt in out source destination 0 0 reject all — * * ip.x.y.z. 0.0.0.0/0 |
GOOD JOB ! 🙂
As root, this command unbans the IP ip.x.y.z used in our example above:
# fail2ban-client set nextcloud unbanip ip.x.y.z |