Nethserver and Fail2ban

greavette · November 5, 2020, 9:24pm

I’ve installed Guacamole on Nethserver. I then installed fail2ban Nethserver and enabled fail2ban for 5 login attempts using Incremental ban time. I then tried logging in from my phone (not on wifi so it’s outsie our network) and I can see my phone IP banned.

I also have Nextcloud installed on my Nethserver and from outside our network I tried accessing Nextcloud but the IP on my phone does not get banned. What I did see is I get a Nextcloud message that to many login attempts have occurred and I have to wait 30 seconds.

Is there a settting for Nextcloud that will allow fail2ban to ban an IP like what happened for my Guacamole?

Thank you.

royceb · November 5, 2020, 10:30pm

Have you have created and enabled the Fail2Ban jail described here.

stephdl · November 5, 2020, 10:40pm

IIRC nextcloud should be enabled by default, we need to check if the jail is enabled and if fail2ban catch the bad attempts in logs

fail2ban-client status

This should gives back all enabled jails

stephdl · November 6, 2020, 8:56am

you can test your jail with fail2ban-regex

fail2ban-regex /var/lib/nethserver/nextcloud/nextcloud.log /etc/fail2ban/filter.d/nextcloud-auth.conf --print-all-matched

this will print all match against bad attempts seen by fail2ban

For what I tested it should work, at least on my server

greavette · November 15, 2020, 10:57pm

Hello @stephdl,

Apologies for the delay in responding. Thank you for your reply.

I’ve tried the commands you listed. I see nextcloud-auth when checking status:

[root@nethserver2 ~]# fail2ban-client status
Status
|- Number of jail: 21
`- Jail list: apache-auth, apache-badbots, apache-fakegooglebot, apache-modsecurity, apache-nohome, apache-noscript, apache-overflows, apache-scan, apache-shellshock, guacamole, httpd-admin, mysqld-auth, nextcloud-auth, pam-generic, pam-generic-nethserver, phpmyadmin, postfix, postfix-ddos, postfix-sasl-abuse, rspamd, sshd

And secondly, I’m not sure if this means fail2ban is working for nextcloud. My friend has tested trying to login to Nextcloud more than 10 x and did not receive a ban message.

[root@nethserver2 ~]# fail2ban-regex /var/lib/nethserver/nextcloud/nextcloud.log /etc/fail2ban/filter.d/nextcloud-auth.conf --print-all-matched

Running tests

Use failregex filter file : nextcloud-auth, basedir: /etc/fail2ban
Use log file : /var/lib/nethserver/nextcloud/nextcloud.log
Use encoding : UTF-8

Results

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 0 lines, 0 ignored, 0 matched, 0 missed
[processed in 0.00 sec]

What am I looking for to confirm that my fail2ban is working on my Nextcloud and my Guacamole?

Thank you.

stephdl · November 15, 2020, 11:07pm

You have nothing in logs it seems, can you read bad login in the nextcloud log ?