FOSS, networking, nextcloudpi, security

NextCloudPi Fail2Ban installer

| by nachoparker

This is just a little script that installs and configures Fail2Ban to work with NextCloud.

Fail2Ban will monitor your personal cloud for brute force attacks and block the IP after a number of bad login attempts.

Features

  • SSH jail
  • Nextcloud login jail
  • 6 bad login attempts will block the IP for 10 minutes by default.

Installation

Get it already made

I have included this in the latest release of my NextCloudPi, a ready to use Raspbian 8 image featuring NextCloud 11, HTTP2, PHP7 and more.

Do it yourself

First, clone the repo

git clone https://github.com/nachoparker/nextcloud-raspbian-generator.git

Then, there are two options.

Online installation

SSH into your Raspberry Pi, copy the fail2ban.sh into it, and run

./fail2ban.sh

, or you can do all that in one command

cat fail2ban.sh | ssh pi@192.168.0.145  # adjust the IP to your Raspberry Pi
Offline installation (using QEMU)

This is based on Raspbian on QEMU with network access.

Extract the SD card and copy the image to your computer (adjust sdx).

sudo dd if=/dev/sdx of=my_rpi.img bs=4M

Then,

./install-fail2ban.sh my_rpi.img  192.168.0.145

Once done, you can copy it back (adjust sdx).

sudo dd if=my_rpi.img if=/dev/sdx bs=4M

Configuration

Before installation, you can configure the following variables at the top of fail2ban.sh

NCLOG=/var/www/nextcloud/data/nextcloud.log # location of Nextcloud logs
BANTIME=600                                 # time to ban an IP that exceeded attempts
FINDTIME=600                                # cooldown time for incorrect passwords
MAXRETRY=6                                  # bad attempts before banning an IP

After installation, you can change those values in /etc/fail2ban/jail.conf, and then issue

sudo fail2ban-client reload

Usage

You can check the status of each jail. Works the same way for the ssh jail.

$ sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- filter
|  |- File list:        /var/www/nextcloud/data/nextcloud.log
|  |- Currently failed: 1
|  `- Total failed:     8
`- action
   |- Currently banned: 1
   |  `- IP list:       192.168.0.100
   `- Total banned:     1

Should you want to unblock and IP you can type ( adjust IP )

sudo fail2ban-client set nextcloud unbanip 192.168.0.100

From NC 11, there is a basic brute force protection for logins, but it is still hard to do things like whitelist or unban an IP ( see link ).

We can activate it or deactivate it with this line of configuration

'auth.bruteforce.protection.enabled' => false,

Code

#!/bin/bash

# Fail2ban installation script for Raspbian 
# Tested with 2017-01-11-raspbian-jessie.img (and lite)
#
# Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
# GPL licensed (see end of file) * Use at your own risk!
#
# Usage:
#   cat install-fail2ban.sh | sshpass -praspberry ssh pi@$IP
#
#   , or scp this file to a Raspberry Pi and run it from Raspbian
#
#   ./fail2ban.sh
#
# See the variables on the top of the script for tweaking

sudo su

NCLOG=/var/www/nextcloud/data/nextcloud.log     # location of Nextcloud logs
BANTIME=600                                     # time to ban an IP that exceeded attempts
FINDTIME=600                                    # cooldown time for incorrect passwords
MAXRETRY=6                                      # bad attempts before banning an IP

set -x
set -e


# INSTALLATION
##########################################

apt-get update
apt-get install fail2ban -y

touch /var/www/nextcloud/data/nextcloud.log
chown -R www-data /var/www/nextcloud/data

cd /var/www/nextcloud
sudo -u www-data php occ config:system:set loglevel --value=2
sudo -u www-data php occ config:system:set log_type --value=file
sudo -u www-data php occ config:system:set logfile  --value=$NCLOG

cat > /etc/fail2ban/filter.d/nextcloud.conf <<'EOF'
[INCLUDES]
before = common.conf
[Definition]
failregex = Login failed.*Remote IP.*'<HOST>'
ignoreregex =
EOF


cat > /etc/fail2ban/jail.conf <<EOF
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime  = $BANTIME
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = $FINDTIME
maxretry = $MAXRETRY
#
# ACTIONS
#
banaction = iptables-multiport
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_)s
#
# SSH
#
[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = $MAXRETRY
#
# HTTP servers
#
[nextcloud]
enabled  = true
port     = http,https
filter   = nextcloud
logpath  = $NCLOG
maxretry = $MAXRETRY
EOF

# CLEANUP
##########################################

apt-get autoremove -y
apt-get clean
rm /var/lib/apt/lists/* -r
rm -f /home/pi/.bash_history
systemctl disable ssh
halt

# License
#
# This script is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This script is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this script; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
# Boston, MA  02111-1307  USA

Tested in Nextcloud 11 running in Raspbian 8.

References

https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
https://github.com/hailthemelody/nextcloud-fail2ban
https://docs.nextcloud.com/server/11/admin_manual/configuration_server/config_sample_php_parameters.html
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8

Author: nachoparker

Humbly sharing things that I find useful [ github dockerhub ]

3 Comments

  1. Hi, first of: Great work. NextCloudPi really helps to build a small but nice Nextcloud-RasPi. So, here’s my problem: I’m testing NextCloudPi_03-21-17_FULL.tar.bz2 on a RPi3. When I activate Fail2ban over nextcloudpi-config (I go with the default settings) the service works, but only for ssh. When I check the status, Fail2ban picked up my “hacks” with a wrong login and blocked my ip.

    $ sudo fail2ban-client status ssh      
Status for the jail: ssh
|- filter
|  |- File list:	/var/log/auth.log 
|  |- Currently failed:	0
|  `- Total failed:	6
`- action
   |- Currently banned:	0
   |  `- IP list:	
   `- Total banned:	1

    But it doesn’t work with Nextcloud. No matter how often i use a wrong login from within the webfrontend (/var/www/nextcloud/data/nextcloud.log logs this failed attempts), Fail2ban fails to see those and block the ip. The counter “currently failed” stays at 0.

    $ sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- filter
|  |- File list:	/var/www/nextcloud/data/nextcloud.log 
|  |- Currently failed:	0
|  `- Total failed:	0
`- action
   |- Currently banned:	0
   |  `- IP list:	
   `- Total banned:	0


    $ sudo tail -f /var/www/nextcloud/data/nextcloud.log
[...]
{"reqId":"hsmeVAIMR6xy0W1trce\/","remoteAddr":"192.168.111.199","app":"core","message":"Login failed: 'admin' (Remote IP: '192.168.111.199')","level":2,"time":"2017-03-22T13:35:00+00:00","method":"POST","url":"\/index.php\/login?user=admin","user":"--","version":"11.0.2.7"}
{"reqId":"dR1ESJGgpn6nkn53CVTK","remoteAddr":"192.168.111.141","app":"core","message":"Login failed: 'admin' (Remote IP: '192.168.111.141')","level":2,"time":"2017-03-22T13:42:17+00:00","method":"HEAD","url":"\/remote.php\/webdav\/","user":"--","version":"11.0.2.7"}

    Reply

    1. Hello,

      I just tested it on fresh NextCloudPi_03-23-17_FULL.img and it works for me

      pi@raspberrypi:~ $ sudo nextcloudpi-config # activate fail2ban, don't touch default settings
System config value loglevel set to string 2
System config value log_type set to string file
System config value logfile set to string /var/www/nextcloud/data/nextcloud.log
insserv: warning: current start runlevel(s) (empty) of script `fail2ban' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `fail2ban' overrides LSB defaults (0 1 6).

pi@raspberrypi:~ $ echo " I will now try to log in with the wrong password for user admin"
^C

pi@raspberrypi:~ $ sudo tail -f /var/www/nextcloud/data/nextcloud.log
{"reqId":"WNOwpH8AAQEAAASm3doAAAoC","remoteAddr":"192.168.0.51","app":"core","message":"Login failed: 'admin' (Remote IP: '192.168.0.51')","level":2,"time":"2017-03-23T11:25:27+00:00","method":"POST","url":"\/index.php\/login","user":"--","version":"11.0.2.7"}
^C

pi@raspberrypi:~ $ sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- filter
|  |- File list:        /var/www/nextcloud/data/nextcloud.log
|  |- Currently failed: 1
|  `- Total failed:     1
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

      Maybe you are waiting more than 600 seconds to check status and the bad attempt clears up?

      Reply
  2. Pingback: NextCloudPi, a ready to use NextCloud image for Raspberry Pi – Own your bits

Leave a Reply

Your email address will not be published. Required fields are marked *