Fail2ban on NextCloud

stephdl · October 2, 2016, 6:34am

does some guys use fail2ban and nextcloud, curiously it seems that bad login are not logged until you specify something in the config files

https://joachim-wilke.de/blog/2016/06/24/fail2ban-nextcloud/
https://nanoscopic.de/2016/07/migrate-owncloud-to-nextcloud-and-protect-it-against-brute-force-attacks-with-fail2ban/

in short they speak to add in /path/to/Nextcloud/config/config.php something like that :

 'logfile' => '/var/log/nextcloud.log',
  'loglevel' => 2,

or

'logtimezone' => 'TIMEZONEHERE',
'log_type' => 'owncloud',
'logfile' => 'nextcloud.log',

It seems also that the nextcloud team has done at the php level a solution to block bad login.

So if you have something to share, it will be nice

alefattorini · October 4, 2016, 3:27pm

Never tested yet but it looks interesting, maybe someone can test this configuration and let us know /cc @jackyes

GG_jr · October 4, 2016, 3:53pm

Hi Alessio,

I did modifications in Nextcloud config.php, but how can I add nextcloud.log in /var/log/?
Just manually create a new file? If is right, with what permissions?
Sorry but I don’t know!

TIA,
Gabriel

stephdl · October 4, 2016, 6:32pm

what are the permission and ownership of /usr/share/nextcloud files or in any other place ? I guess it could be the same owners !!!

GG_jr · October 4, 2016, 7:31pm

I think the only files related to Nextcloud are in /var/www/html/nextcloud.

Anyway, I have created a file, nextcloud.log, in /var/log/, but nothing is written in, no matter what I do: login; logout; wrong login.

stephdl · October 4, 2016, 7:37pm

what a funny place, why not /usr/share, this should be the default and usual place for centos
@giacomo

@GG_jr did you restart apache , can you give the ownership of nextcloud.log to apache ???

of course never tried it

stephdl · October 4, 2016, 7:41pm

it was the same for owncloud, funny place /var/www/owncloud

GG_jr · October 4, 2016, 8:07pm

I have restart service httpd from Services UI.

After that and restart httpd, nextcloud.log began to fill.

At the bottom, are 4 attempts to log in with wrong credentials.

What I have to do as F2B to react?

giacomo · October 5, 2016, 7:06am

Yes it is, but ownCloud and NextCloud use /var/www … probably because it’s the same also in other distro

jackyes · October 5, 2016, 2:12pm

Can’t test now… now i’m running only NS6… i will crate a VM for testing purpose in the next week

alefattorini · October 5, 2016, 2:26pm

Man, are you kidding me? Let’s install NethServer 7 and do your homework!

I’m joking, of course.

stephdl · October 5, 2016, 4:50pm

now a jail needs to be created see GitHub - rob-mosher/nextcloud-fail2ban: WIP

stephdl · October 5, 2016, 4:55pm

I’m not a rpm guru, but there is a lot of macros that can be used to put the right file at the right place with the same srpm whatever the linux distros .

I should take a look to the srpm

stephdl · October 5, 2016, 10:31pm

@dev_team Is it possible to add something to create from start the log to catch bad login in nextcloud.

I mean something from this -> https://docs.nextcloud.com/server/9/admin_manual/configuration_server/occ_command.html#logging-commands-label

GG_jr · October 6, 2016, 2:42am

Thank you!
I will try today.

giacomo · October 6, 2016, 7:20am

Yes, but the rpm has been created after a private discussion with nextcloud team.
Basically, the aim of the rpm is to have an installation which looks like as a manual installation.

We also talked with James Hogarth, who is the actual maintainer of ownCloud package.
He already submitted a NextCloud packages to EPEL: 1360482 – Review Request: nextcloud - a private, secure way to share and access files

This rpm is built following all CentOS guidelines. I think we will switch to it, when available

Of course, anyone want to try the commands on a clean machine?
After the test, I can open an issue for the enhancement.

GG_jr · October 6, 2016, 11:57am

cc: @giacomo

It works!

How I did (inspired from here: Migrate ownCloud to Nextcloud and protect it against brute force attacks with fail2ban – nanoscopic ):

I found in /etc/fail2ban/filter.d this file: owncloud-auth.conf
I have renamed owncloud-auth.conf in nextcloud.conf (I don’t know if was necessary but is the first time for me when …)
In /etc/fail2ban/, I have modified jail.local by adding the following lines, after owncloud not installed on this server :

[nextcloud]
enabled = true
filter = nextcloud
banaction = iptables-allports
protocol = all
port = anyport
logpath = /var/log/nextcloud.log
findtime = 604800
bantime = 604800
maxretry = 3

I have restarted fail2ban service from Services UI.

Tested login in Nextcloud with wrong password and the IP was banned after 3 attempts!

Now, somebody who knows " How To" and of course wants, should make all the things good!

What I have done, I did it my way!

Thank you Stephane!

alefattorini · October 13, 2016, 7:12am

Great! You should write a small howto about this. How about?

GG_jr · October 13, 2016, 10:35am

It was only a test.
I will learn how and where shall be created permanent config files, because after reboot or an update, the modifications are lost.

stephdl · October 15, 2016, 1:47pm

Learning by errors, this is my personal favourit way to progress.

Take a look to my github account i added a specific jail for the server manager, the process is the same