Hey folks, newbie here.
I’ve set up as RPi4 (Dietpi) with a 4TB HDD for Owncloud.
Owncloud is working fine and surprisingly fast.
In noticed in the Access.log and via tcpdump that i was pinged quiet often, so i thougt it would be a good idea to set up fail2ban for ssh, owncloud and apache2.
Soo, SSH (Dropbear) gets banned perfectly. But i’ve some problems with owncloud.
Setup
Rpi4 + 4TB HDD USB3
Dietpi (Repo)
Owncloud 10.6.0.5 (Repo)
Fail2Ban v0.10.2
Dietpi_userdata on 4TB Harddrive.
Problem
- Fail2Ban dosn’t block failed Owncloud login attempts. But Fail2Ban-regex works.
- I had to change the Permission of the /var/log/owncloud.log to 644. Otherwise Owncloud wouldnt be able to write to it. Seem like the the change of the data to HDD messed up something.
All other Logs in /var/log/ are also empty, exept for the Apache logs in the separate apache dir.
Logs & Outputs
#Fail2Ban-Status
root@DietPi:# sudo fail2ban-client status
Status
|- Number of jail: 3
`- Jail list: dropbear, owncloud, sshd
#Fail2Ban-Status owncloud
root@DietPi:/# fail2ban-client status owncloud
Status for the jail: owncloud
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches:
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
#Permissions check
root@DietPi:/# ls -al /var/log/fail2ban.log
-rwxr-xr-x 1 root adm 0 Feb 12 01:18 /var/log/fail2ban.log
root@DietPi:/# ls -al /var/log/owncloud.log
-rw-rw-r-- 1 root www-data 2981 Feb 13 00:01 /var/log/owncloud.log
#REGEX
root@DietPi:/# sudo fail2ban-regex /var/log/owncloud.log /etc/fail2ban/filter.d/owncloud.conf
Running tests
=============
Use failregex filter file : owncloud, basedir: /etc/fail2ban
Use log file : /var/log/owncloud.log
Use encoding : UTF-8
Results
=======
Failregex: 2 total
|- #) [# of hits] regular expression
| 1) [2] {.*,"message":"Login failed: '.*' \(Remote IP: '<HOST>'\)"}
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 2 lines, 0 ignored, 2 matched, 0 missed
[processed in 0.08 sec]
#Fail2Ban Owncloud.conf
[Definition]
failregex={.*,"message":"Login failed: '.*' \(Remote IP: '<HOST>'\)"}
ignoreregex =
#Owncloud.log
{"reqId":"P32uBm2oTRrBPsjyvcnF","level":2,"time":"2021-02-13T00:19:56+01:00","remoteAddr":"178.197.229.79","user":"--","app":"core","method":"POST","url":"\/owncloud\/login?user=test","message":"Login failed: 'test' (Remote IP: '178.197.229.79')"}
{"reqId":"M1trdrNn5OH6sdkJdkaq","level":2,"time":"2021-02-13T00:20:02+01:00","remoteAddr":"178.197.229.79","user":"--","app":"core","method":"POST","url":"\/owncloud\/login?user=test","message":"Login failed: 'test' (Remote IP: '178.197.229.79')"}
#jail.local
[INCLUDES]
before = paths-debian.conf
[DEFAULT]
ignorself = true
ignoreip = 127.0.0.1/8 ::1
ignorecommand =
bantime = 10m
findtime = 10m
maxretry = 5
backend = systemd
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(__name__)s[mode=%(mode)s]
destemail = root@localhost
sender = root@<fq-hostname>
mta = sendmail
protocol = tcp
chain = <known/chain>
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
#
# JAILS
#
#
# SSH servers
#
#[sshd]
#enabled = true
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
#port = ssh
[dropbear]
enabled = true
port = ssh
filter = dropbear
bantime = 7200
findtime = 3600
maxretry = 3
banaction = iptables-allports
[owncloud]
enabled = true
filter = owncloud
bantime = 7200
findtime = 3600
maxretry = 3
banaction = iptables-multiport[name=owncloud, port="http,https"]
logpath = /var/log/owncloud.log
###################
Thanks for any help to find what i’m missing!