apt get life

Life around technology

  • Technology
    • Guides
    • Linux
    • Development
      • Laravel
    • Misc
    • Raspberry Pi
  • Writing
  • Crafts
    • Crochet
    • Model Making
    • Painting
  • Privacy Policy
You are here: Home / Technology / Linux / Setup Fail2ban for NextCloud

Setup Fail2ban for NextCloud

2018/10/05 by sudo 2 Comments

Running NextCloud or OwnCloud online comes with some risk, as with any online service. It’s important that your installation remains secure against hackers (or at least as secure as it can be). I’ve opted to implement fail2ban in order to help secure it using some custom rules. It’s worth noting that NextCloud does block unwanted login attempts itself through the application, but you’re having to trust application level security. I feel far safer having fail2ban implement firewall rules to prevent access to anyone probing the server.

First thing to do is create the NextCloud filter configuration file. This file will contain the regex that’s used to scan the logs for anything we don’t like the look of in order to block attacking hosts. My understanding is that this file can remain the same for OwnCloud, although I do not currently have a running instance of it to check.

sudo nano /etc/fail2ban/filter.d/nextcloud.conf

Add the following to the file:


[Definition]
failregex=^{"reqId":".","remoteAddr":".","app":"core","message":"Login failed: '.' (Remote IP: '')","level":2,"time":"."}$
^{"reqId":".","level":2,"time":".","remoteAddr":".","app":"core".","message":"Login failed: '.' (Remote IP: '')".}$
^.\"remoteAddr\":\"\".Trusted domain error.*$

There are three regular expressions included here. The first and second checks for login failures, and flags the source IP. The third checks for trusted domain errors – which are usually a result of bots accessing your installation via it’s IP, not via it’s domain (thus, suspicious and I wanted to block them).

Once the file is saved, you can test what the filter would report by running the following command. This is entirely optional (although would help identify issues) and isn’t required for the rest of the steps to work.

sudo fail2ban-regex /var/nextcloud/data/nextcloud.log /etc/fail2ban/filter.d/nextcloud.conf -v

Next, the configuration file needs setup to activate the configurations we’ve just created. Never edit the Fail2ban jail.conf file, it’s likely to be overridden on upgrades. Always create a “.local” file, ideally a separate one for each application or rule you’re setting up (why? because it makes things more organised and easier to manage one rule over another!) inside the jail.d directory. With this in mind, create a nextcloud (or owncloud) file:

sudo nano /etc/fail2ban/jail.d/nextcloud.local

And add the following to it:


[nextcloud]
ignoreip = 192.168.1.0/24
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 36000
findtime = 36000
logpath = /var/nextcloud/data/nextcloud.log

Make sure your ignoreip is your local subnet or IP address. I opted to allow my whole LAN to access it without being auto-blocked. I’ve enabled the rule, set the ports to 80 (HTTP) and 443 (HTTPS) and configured ban times, etc. The most important things are the filter which should match the name of the file that was created inside the filter.d directory (excluding extension), and the log path, which may vary by installation. This path is the default for Ubuntu.

Once done, run the following command to restart nextcloud:

sudo service fail2ban restart

You can check the status of the jail by running:

sudo fail2ban-client status nextcloud

You’ll see something similar to this:

Status for the jail: nextcloud
|- Filter
|  |- Currently failed: 13
|  |- Total failed: 82
|  `- File list:    /var/nextcloud/data/nextcloud.log
`- Actions
   |- Currently banned: 0
   |- Total banned: 5
   `- Banned IP list:

Share this:

  • Twitter
  • Facebook
  • Reddit
  • Tumblr
  • Pinterest

Related

Filed Under: Linux Tagged With: fail2ban, Linux, nextcloud, owncloud, security, ubuntu 18.04, ubuntu server

Comments

  1. amrit says

    2019/05/31 at 13:11

    fail2ban.server.failregex.RegexException: No ‘host’ group in ‘^{“reqId”:”.“,”level”:2,”time”:”.“,”remoteAddr”:”.“,”app’

    Reply
    • sudo says

      2019/05/31 at 20:11

      It’s possible your copy and paste for your regular expression hasn’t worked. I’ve created a Gist so try and grab it from there instead:

      https://gist.github.com/Sam-R/42fcb7daf168a3e0d74709cd98f0a6be

      Reply

Leave a Reply Cancel reply

Recent Posts

  • Alternative GPIO pins for Wemos D1 Mini BME280 sensor
  • Fixing zsys daemon: timed out waiting for server handshake on Ubuntu 20.04 ZFS
  • Solving Error on statfs() system call with cAdvisor and Docker
  • MySQL in Docker for Local Development
  • Laravel Docker Development Environment With PHP7

Tags

7zip API auditing Courier MTA crochet data recovery debian debudding development Dingo API docker email Getting started with Laravel 5 & Dingo API hard drive health KVM Laravel larvel 5 lenovo Linux Mail Quota Minion mint netgear nas networking network shares php PHP development Postfix samba security SMART smartctl smartmontools smb smbfs testing traefik ubuntu ubuntu 18.04 ubuntu 20.04 ubuntu server vagrant Virtual machines xdebug xubuntu

© Copyright 2015 apt get life