Fail2ban on NextCloud

does some guys use fail2ban and nextcloud, curiously it seems that bad login are not logged until you specify something in the config files


https://joachim-wilke.de/blog/2016/06/24/fail2ban-nextcloud/
https://nanoscopic.de/2016/07/migrate-owncloud-to-nextcloud-and-protect-it-against-brute-force-attacks-with-fail2ban/

in short they speak to add in /path/to/Nextcloud/config/config.php something like that :

 'logfile' => '/var/log/nextcloud.log',
  'loglevel' => 2,

or

'logtimezone' => 'TIMEZONEHERE',
'log_type' => 'owncloud',
'logfile' => 'nextcloud.log',

It seems also that the nextcloud team has done at the php level a solution to block bad login.

So if you have something to share, it will be nice

2 Likes

Never tested yet but it looks interesting, maybe someone can test this configuration and let us know /cc @jackyes

Hi Alessio,

I did modifications in Nextcloud config.php, but how can I add nextcloud.log in /var/log/?
Just manually create a new file? If is right, with what permissions?
Sorry but I don’t know!:cry:

TIA,
Gabriel

what are the permission and ownership of /usr/share/nextcloud files or in any other place ? I guess it could be the same owners !!!

I think the only files related to Nextcloud are in /var/www/html/nextcloud.

Anyway, I have created a file, nextcloud.log, in /var/log/, but nothing is written in, no matter what I do: login; logout; wrong login.

what a funny place, why not /usr/share, this should be the default and usual place for centos
@giacomo

@GG_jr did you restart apache , can you give the ownership of nextcloud.log to apache ???

of course never tried it

it was the same for owncloud, funny place /var/www/owncloud

I have restart service httpd from Services UI.

After that and restart httpd, nextcloud.log began to fill.

At the bottom, are 4 attempts to log in with wrong credentials.

What I have to do as F2B to react?

Yes it is, but ownCloud and NextCloud use /var/www … probably because it’s the same also in other distro :slight_smile:

Can’t test now… now i’m running only NS6… i will crate a VM for testing purpose in the next week :cry:

1 Like

Man, are you kidding me? Let’s install NethServer 7 and do your homework! :point_right:

I’m joking, of course. :upside_down:

2 Likes

now a jail needs to be created see https://github.com/hailthemelody/nextcloud-fail2ban

1 Like

I’m not a rpm guru, but there is a lot of macros that can be used to put the right file at the right place with the same srpm whatever the linux distros .

I should take a look to the srpm

@dev_team Is it possible to add something to create from start the log to catch bad login in nextcloud.

I mean something from this -> https://docs.nextcloud.com/server/9/admin_manual/configuration_server/occ_command.html#logging-commands-label

2 Likes

Thank you!
I will try today.

Yes, but the rpm has been created after a private discussion with nextcloud team.
Basically, the aim of the rpm is to have an installation which looks like as a manual installation.

We also talked with James Hogarth, who is the actual maintainer of ownCloud package.
He already submitted a NextCloud packages to EPEL: https://bugzilla.redhat.com/show_bug.cgi?id=1360482

This rpm is built following all CentOS guidelines. I think we will switch to it, when available :slight_smile:

Of course, anyone want to try the commands on a clean machine?
After the test, I can open an issue for the enhancement.

1 Like

cc: @giacomo

It works!

How I did (inspired from here: https://nanoscopic.de/2016/07/migrate-owncloud-to-nextcloud-and-protect-it-against-brute-force-attacks-with-fail2ban/ ):

  • I found in /etc/fail2ban/filter.d this file: owncloud-auth.conf
  • I have renamed owncloud-auth.conf in nextcloud.conf (I don’t know if was necessary but is the first time for me when …)
  • In /etc/fail2ban/, I have modified jail.local by adding the following lines, after #owncloud not installed on this server :

[nextcloud]
enabled = true
filter = nextcloud
banaction = iptables-allports
protocol = all
port = anyport
logpath = /var/log/nextcloud.log
findtime = 604800
bantime = 604800
maxretry = 3

  • I have restarted fail2ban service from Services UI.

Tested login in Nextcloud with wrong password and the IP was banned after 3 attempts!

Now, somebody who knows " How To" and of course wants, should make all the things good!

What I have done, I did it my way!

Thank you Stephane!

2 Likes

Great! You should write a small howto about this. How about?

1 Like

It was only a test.
I will learn how and where shall be created permanent config files, because after reboot or an update, the modifications are lost.

1 Like

:slight_smile:

Learning by errors, this is my personal favourit way to progress.

Take a look to my github account i added a specific jail for the server manager, the process is the same

1 Like