Fail2ban: experience feedback

Hello everyone,

I wanted to share with you my experience of using fail2ban to ban deactivated accounts, with Nextcloud version 28.0.7. Although they no longer use the Nextcloud service, these users still have a desktop client that continues to attempt connections, heavily polluting the nextcloud.log file.

Here is my filter:

root@nextcloud:~ # cat /etc/fail2ban/filter.d/nextcloud.conf 
# https://docs.nextcloud.com/server/28/admin_manual/installation/harden_server.html?highlight=fail2ban
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"(?:OC\\\\User\\\\LoginException: )?(User disabled|Utilisateur d\\u00e9sactiv\\u00e9)"
datepattern = ,?\s*"time"\s*:\s*%%d %%B %%Y %%H:%%M:%%S$

For reasons unknown to me, the logs are in English or French. So you have to look for either the ‘User disabled’ string or the ‘Utilisateur d\u00e9sactiv\u00e9’ string.

Please note that a simple change of version of Nextcloud can alter the operation of the filter. For example, with version 29.0.4, you have to search for ‘Compte d\u00e9sactiv\u00e9’ for a log in French… The semantic change is indeed significant since the user remains active (alive) while his account is effectively deactivated! :innocent:

I assume the same will apply to the English version, with ‘Account’ replacing ‘User’, but I haven’t had a chance to observe it at the time of writing.

For this filter to work, you obviously need to add the fail2ban configuration file to it. Here is the file I use:

root@nextcloud:~ # cat /etc/fail2ban/jail.d/nextcloud.conf
[nextcloud]
enabled  = true
port     = http,https
filter   = nextcloud
action   = iptables-multiport[name=nextcloud, port="http,https", protocol=tcp]
logpath  = /var/log/nextcloud/nextcloud.log
maxretry = 3
bantime  = 86400

Note the ‘action’ line, which states that banning is done with iptables, which is not described in the documentation.

I hope this helps.

Ernest.

1 Like

Probably because this line is not strictly necessary, as at least on Debian/Ubuntu, banaction = iptables-multiport and banaction_allports = iptables-allports is already set in the default jail.conf, which would block access to all ports.

#
# Action shortcuts. Used to define action parameters

# Default deny action (e.g., iptables, iptables-new,
# iptables-multiport, shorewall, etc.) Used to define
# action_* variables. Can be overridden globally or per
# section within the jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports

Your action line, however, is more specific by adding additional configuration parameters that limit the banaction to ports 80 and 443, while still allowing access to other ports if I’m not mistaken.

1 Like

You’re right, thank you for that clarification!
So here’s the updated version of my nextcloud.conf file.

[nextcloud]
enabled  = true
port     = http,https
filter   = nextcloud
# unnecessary because the banaction variable in /etc/fail2ban/jail.conf handles this action
# action   = iptables-multiport[name=nextcloud, port="http,https", protocol=tcp]
logpath  = /var/log/nextcloud/nextcloud.log
maxretry = 3
bantime  = 86400

Needless to say, this correction was suggested to me by ChatGPT :thinking:… Sorry about that. :innocent:

Ernest.

1 Like