This is just a little script that installs and configures Fail2Ban to work with NextCloud.
Fail2Ban will monitor your personal cloud for brute force attacks and block the IP after a number of bad login attempts.
Features
- SSH jail
- Nextcloud login jail
- 6 bad login attempts will block the IP for 10 minutes by default.
Installation
Get it already made
I have included this in the latest release of my NextCloudPi, a ready to use Raspbian 8 image featuring NextCloud 11, HTTP2, PHP7 and more.
Do it yourself
First, clone the repo
git clone https://github.com/nachoparker/nextcloud-raspbian-generator.git
Then, there are two options.
Online installation
SSH into your Raspberry Pi, copy the fail2ban.sh into it, and run
./fail2ban.sh
, or you can do all that in one command
cat fail2ban.sh | ssh pi@192.168.0.145 # adjust the IP to your Raspberry Pi
Offline installation (using QEMU)
This is based on Raspbian on QEMU with network access.
Extract the SD card and copy the image to your computer (adjust sdx).
sudo dd if=/dev/sdx of=my_rpi.img bs=4M
Then,
./install-fail2ban.sh my_rpi.img 192.168.0.145
Once done, you can copy it back (adjust sdx).
sudo dd if=my_rpi.img if=/dev/sdx bs=4M
Configuration
Before installation, you can configure the following variables at the top of fail2ban.sh
NCLOG=/var/www/nextcloud/data/nextcloud.log # location of Nextcloud logs BANTIME=600 # time to ban an IP that exceeded attempts FINDTIME=600 # cooldown time for incorrect passwords MAXRETRY=6 # bad attempts before banning an IP
After installation, you can change those values in /etc/fail2ban/jail.conf, and then issue
sudo fail2ban-client reload
Usage
You can check the status of each jail. Works the same way for the ssh jail.
$ sudo fail2ban-client status nextcloud Status for the jail: nextcloud |- filter | |- File list: /var/www/nextcloud/data/nextcloud.log | |- Currently failed: 1 | `- Total failed: 8 `- action |- Currently banned: 1 | `- IP list: 192.168.0.100 `- Total banned: 1
Should you want to unblock and IP you can type ( adjust IP )
sudo fail2ban-client set nextcloud unbanip 192.168.0.100
From NC 11, there is a basic brute force protection for logins, but it is still hard to do things like whitelist or unban an IP ( see link ).
We can activate it or deactivate it with this line of configuration
'auth.bruteforce.protection.enabled' => false,
Code
#!/bin/bash # Fail2ban installation script for Raspbian # Tested with 2017-01-11-raspbian-jessie.img (and lite) # # Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com> # GPL licensed (see end of file) * Use at your own risk! # # Usage: # cat install-fail2ban.sh | sshpass -praspberry ssh pi@$IP # # , or scp this file to a Raspberry Pi and run it from Raspbian # # ./fail2ban.sh # # See the variables on the top of the script for tweaking sudo su NCLOG=/var/www/nextcloud/data/nextcloud.log # location of Nextcloud logs BANTIME=600 # time to ban an IP that exceeded attempts FINDTIME=600 # cooldown time for incorrect passwords MAXRETRY=6 # bad attempts before banning an IP set -x set -e # INSTALLATION ########################################## apt-get update apt-get install fail2ban -y touch /var/www/nextcloud/data/nextcloud.log chown -R www-data /var/www/nextcloud/data cd /var/www/nextcloud sudo -u www-data php occ config:system:set loglevel --value=2 sudo -u www-data php occ config:system:set log_type --value=file sudo -u www-data php occ config:system:set logfile --value=$NCLOG cat > /etc/fail2ban/filter.d/nextcloud.conf <<'EOF' [INCLUDES] before = common.conf [Definition] failregex = Login failed.*Remote IP.*'<HOST>' ignoreregex = EOF cat > /etc/fail2ban/jail.conf <<EOF # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = $BANTIME # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = $FINDTIME maxretry = $MAXRETRY # # ACTIONS # banaction = iptables-multiport protocol = tcp chain = INPUT action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action = %(action_)s # # SSH # [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = $MAXRETRY # # HTTP servers # [nextcloud] enabled = true port = http,https filter = nextcloud logpath = $NCLOG maxretry = $MAXRETRY EOF # CLEANUP ########################################## apt-get autoremove -y apt-get clean rm /var/lib/apt/lists/* -r rm -f /home/pi/.bash_history systemctl disable ssh halt # License # # This script is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This script is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this script; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, # Boston, MA 02111-1307 USA
Tested in Nextcloud 11 running in Raspbian 8.
References
https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
https://github.com/hailthemelody/nextcloud-fail2ban
https://docs.nextcloud.com/server/11/admin_manual/configuration_server/config_sample_php_parameters.html
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
Hi, first of: Great work. NextCloudPi really helps to build a small but nice Nextcloud-RasPi. So, here’s my problem: I’m testing NextCloudPi_03-21-17_FULL.tar.bz2 on a RPi3. When I activate Fail2ban over nextcloudpi-config (I go with the default settings) the service works, but only for ssh. When I check the status, Fail2ban picked up my “hacks” with a wrong login and blocked my ip.
But it doesn’t work with Nextcloud. No matter how often i use a wrong login from within the webfrontend (/var/www/nextcloud/data/nextcloud.log logs this failed attempts), Fail2ban fails to see those and block the ip. The counter “currently failed” stays at 0.
Hello,
I just tested it on fresh NextCloudPi_03-23-17_FULL.img and it works for me
Maybe you are waiting more than 600 seconds to check status and the bad attempt clears up?