This is just a little script that installs and configures Fail2Ban to work with NextCloud.
Fail2Ban will monitor your personal cloud for brute force attacks and block the IP after a number of bad login attempts.
Features
- SSH jail
- Nextcloud login jail
- 6 bad login attempts will block the IP for 10 minutes by default.
Installation
Get it already made
I have included this in the latest release of my NextCloudPi, a ready to use Raspbian 8 image featuring NextCloud 11, HTTP2, PHP7 and more.
Do it yourself
First, clone the repo
|
1 |
git clone https://github.com/nachoparker/nextcloud-raspbian-generator.git |
Then, there are two options.
Online installation
SSH into your Raspberry Pi, copy the fail2ban.sh into it, and run
|
1 |
./fail2ban.sh |
, or you can do all that in one command
|
1 |
cat fail2ban.sh | ssh pi@192.168.0.145 # adjust the IP to your Raspberry Pi |
Offline installation (using QEMU)
This is based on Raspbian on QEMU with network access.
Extract the SD card and copy the image to your computer (adjust sdx).
|
1 |
sudo dd if=/dev/sdx of=my_rpi.img bs=4M |
Then,
|
1 |
./install-fail2ban.sh my_rpi.img 192.168.0.145 |
Once done, you can copy it back (adjust sdx).
|
1 |
sudo dd if=my_rpi.img if=/dev/sdx bs=4M |
Configuration
Before installation, you can configure the following variables at the top of fail2ban.sh
|
1 2 3 4 |
NCLOG=/var/www/nextcloud/data/nextcloud.log # location of Nextcloud logs BANTIME=600 # time to ban an IP that exceeded attempts FINDTIME=600 # cooldown time for incorrect passwords MAXRETRY=6 # bad attempts before banning an IP |
After installation, you can change those values in /etc/fail2ban/jail.conf, and then issue
|
1 |
sudo fail2ban-client reload |
Usage
You can check the status of each jail. Works the same way for the ssh jail.
|
1 2 3 4 5 6 7 8 9 10 |
$ sudo fail2ban-client status nextcloud Status for the jail: nextcloud |- filter | |- File list: /var/www/nextcloud/data/nextcloud.log | |- Currently failed: 1 | `- Total failed: 8 `- action |- Currently banned: 1 | `- IP list: 192.168.0.100 `- Total banned: 1 |
Should you want to unblock and IP you can type ( adjust IP )
|
1 |
sudo fail2ban-client set nextcloud unbanip 192.168.0.100 |
From NC 11, there is a basic brute force protection for logins, but it is still hard to do things like whitelist or unban an IP ( see link ).
We can activate it or deactivate it with this line of configuration
|
1 |
'auth.bruteforce.protection.enabled' => false, |
Code
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 |
#!/bin/bash # Fail2ban installation script for Raspbian # Tested with 2017-01-11-raspbian-jessie.img (and lite) # # Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com> # GPL licensed (see end of file) * Use at your own risk! # # Usage: # cat install-fail2ban.sh | sshpass -praspberry ssh pi@$IP # # , or scp this file to a Raspberry Pi and run it from Raspbian # # ./fail2ban.sh # # See the variables on the top of the script for tweaking sudo su NCLOG=/var/www/nextcloud/data/nextcloud.log # location of Nextcloud logs BANTIME=600 # time to ban an IP that exceeded attempts FINDTIME=600 # cooldown time for incorrect passwords MAXRETRY=6 # bad attempts before banning an IP set -x set -e # INSTALLATION ########################################## apt-get update apt-get install fail2ban -y touch /var/www/nextcloud/data/nextcloud.log chown -R www-data /var/www/nextcloud/data cd /var/www/nextcloud sudo -u www-data php occ config:system:set loglevel --value=2 sudo -u www-data php occ config:system:set log_type --value=file sudo -u www-data php occ config:system:set logfile --value=$NCLOG cat > /etc/fail2ban/filter.d/nextcloud.conf <<'EOF' [INCLUDES] before = common.conf [Definition] failregex = Login failed.*Remote IP.*'<HOST>' ignoreregex = EOF cat > /etc/fail2ban/jail.conf <<EOF # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = $BANTIME # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = $FINDTIME maxretry = $MAXRETRY # # ACTIONS # banaction = iptables-multiport protocol = tcp chain = INPUT action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action = %(action_)s # # SSH # [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = $MAXRETRY # # HTTP servers # [nextcloud] enabled = true port = http,https filter = nextcloud logpath = $NCLOG maxretry = $MAXRETRY EOF # CLEANUP ########################################## apt-get autoremove -y apt-get clean rm /var/lib/apt/lists/* -r rm -f /home/pi/.bash_history systemctl disable ssh halt # License # # This script is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This script is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this script; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, # Boston, MA 02111-1307 USA |
Tested in Nextcloud 11 running in Raspbian 8.
References
https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
https://github.com/hailthemelody/nextcloud-fail2ban
https://docs.nextcloud.com/server/11/admin_manual/configuration_server/config_sample_php_parameters.html
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
Hi, first of: Great work. NextCloudPi really helps to build a small but nice Nextcloud-RasPi. So, here’s my problem: I’m testing NextCloudPi_03-21-17_FULL.tar.bz2 on a RPi3. When I activate Fail2ban over nextcloudpi-config (I go with the default settings) the service works, but only for ssh. When I check the status, Fail2ban picked up my “hacks” with a wrong login and blocked my ip.
But it doesn’t work with Nextcloud. No matter how often i use a wrong login from within the webfrontend (/var/www/nextcloud/data/nextcloud.log logs this failed attempts), Fail2ban fails to see those and block the ip. The counter “currently failed” stays at 0.
Hello,
I just tested it on fresh NextCloudPi_03-23-17_FULL.img and it works for me
Maybe you are waiting more than 600 seconds to check status and the bad attempt clears up?