Fail2Ban Owncloud Issues - Regex works | Not Banning

poolk · 12 February 2021 23:37

Hey folks, newbie here.
I’ve set up as RPi4 (Dietpi) with a 4TB HDD for Owncloud.

Owncloud is working fine and surprisingly fast.
In noticed in the Access.log and via tcpdump that i was pinged quiet often, so i thougt it would be a good idea to set up fail2ban for ssh, owncloud and apache2.
Soo, SSH (Dropbear) gets banned perfectly. But i’ve some problems with owncloud.

Setup
Rpi4 + 4TB HDD USB3
Dietpi (Repo)
Owncloud 10.6.0.5 (Repo)
Fail2Ban v0.10.2
Dietpi_userdata on 4TB Harddrive.

Problem

Fail2Ban dosn’t block failed Owncloud login attempts. But Fail2Ban-regex works.
I had to change the Permission of the /var/log/owncloud.log to 644. Otherwise Owncloud wouldnt be able to write to it. Seem like the the change of the data to HDD messed up something.
All other Logs in /var/log/ are also empty, exept for the Apache logs in the separate apache dir.

Logs & Outputs

#Fail2Ban-Status

root@DietPi:# sudo fail2ban-client status
Status
|- Number of jail:      3
`- Jail list:   dropbear, owncloud, sshd

#Fail2Ban-Status owncloud

root@DietPi:/# fail2ban-client status owncloud
Status for the jail: owncloud
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

#Permissions check

root@DietPi:/# ls -al /var/log/fail2ban.log
-rwxr-xr-x 1 root adm 0 Feb 12 01:18 /var/log/fail2ban.log

root@DietPi:/# ls -al /var/log/owncloud.log
-rw-rw-r-- 1 root www-data 2981 Feb 13 00:01 /var/log/owncloud.log

#REGEX

root@DietPi:/# sudo fail2ban-regex /var/log/owncloud.log /etc/fail2ban/filter.d/owncloud.conf

Running tests
=============

Use   failregex filter file : owncloud, basedir: /etc/fail2ban
Use         log file : /var/log/owncloud.log
Use         encoding : UTF-8


Results
=======

Failregex: 2 total
|-  #) [# of hits] regular expression
|   1) [2] {.*,"message":"Login failed: '.*' \(Remote IP: '<HOST>'\)"}
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [2] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 2 lines, 0 ignored, 2 matched, 0 missed
[processed in 0.08 sec]

#Fail2Ban Owncloud.conf

[Definition]
  failregex={.*,"message":"Login failed: '.*' \(Remote IP: '<HOST>'\)"}
  ignoreregex =

#Owncloud.log

{"reqId":"P32uBm2oTRrBPsjyvcnF","level":2,"time":"2021-02-13T00:19:56+01:00","remoteAddr":"178.197.229.79","user":"--","app":"core","method":"POST","url":"\/owncloud\/login?user=test","message":"Login failed: 'test' (Remote IP: '178.197.229.79')"}
{"reqId":"M1trdrNn5OH6sdkJdkaq","level":2,"time":"2021-02-13T00:20:02+01:00","remoteAddr":"178.197.229.79","user":"--","app":"core","method":"POST","url":"\/owncloud\/login?user=test","message":"Login failed: 'test' (Remote IP: '178.197.229.79')"}

#jail.local

[INCLUDES]
before = paths-debian.conf

[DEFAULT]
ignorself = true
ignoreip = 127.0.0.1/8 ::1
ignorecommand =
bantime  = 10m
findtime  = 10m
maxretry = 5
backend = systemd
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(__name__)s[mode=%(mode)s]
destemail = root@localhost
sender = root@<fq-hostname>
mta = sendmail
protocol = tcp
chain = <known/chain>
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

#
# JAILS
#

#
# SSH servers
#

#[sshd]
#enabled = true
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
#port    = ssh


[dropbear]
enabled = true
port     = ssh
filter = dropbear
bantime = 7200
findtime = 3600
maxretry = 3
banaction = iptables-allports

[owncloud]
enabled = true
filter = owncloud
bantime = 7200
findtime = 3600
maxretry = 3
banaction = iptables-multiport[name=owncloud, port="http,https"]
logpath = /var/log/owncloud.log

###################

Thanks for any help to find what i’m missing!

Joulinar · 12 February 2021 23:49

Hi,

many thanks for your message. You could have a look to following. There we got Fail2ban working with ownlcoud https://dietpi.com/forum/t/fail2ban-on-lighttpd/4740/2

Usually log file is located at /mnt/dietpi_userdata/owncloud_data/owncloud.log

poolk · 12 February 2021 23:52

Thanks for your reply.

Will check out the link.

It was on my install too. But every Doc i found listed it normally in var/log…
il change it back, then. thx

Joulinar · 13 February 2021 09:00

Well that’s correct for standard Raspberry OS installation, but on DietPi the log file location is changed.