Fail2ban Native Support

hailthemelody · June 15, 2016, 5:15am

Hi,

As many of us are aware, fail2ban is a highly effective method for blocking brute-force attempts by temporarily (or permanently, if desired!) blocking IP addresses. Is there a similar functionality, and/or a native definition for the fail2ban jail.local file? There are a few unofficial ones out there (for ownCloud presently) but it would be nice to have an official one.

jknockaert · June 15, 2016, 6:46am

Another solution is ossec. It would be a good idea to include an encoder and some rules in the nextcloud documentation, to allow for an easy set up of owncloud and ossec. And also to refrain from changes in the log format between versions.

hailthemelody · June 15, 2016, 1:00pm

I like @jknockaert’s solution as well. Perhaps the documentation could provide examples for both (or even more) as each approach has its merits.

hailthemelody · June 23, 2016, 2:20pm

Since I haven’t heard back from the community or admins on this I’ve decided to write my own fail2ban jail rule and will post updates to the documentation upon completion.

In doing so, does anyone know where failed login attempts for Nextcloud are logged? The main log for Nextcloud appears to be /var/log/syslog but I couldn’t find any entries located there after purposefully entering bogus usernames, nor could I locate the bogus credential string anywhere in the /var/log/ directory. The command I used for find it was grep -rnw /var/log/ -e "bogususer"

Zollak · June 23, 2016, 2:52pm

You can add the following options to your config.php (in the /path/to/nextcloud/config/ folder) and Nextcloud will log failed logins to the nextcloud.log file in the /path/to/nextcloud/ folder.

'log_type' => 'owncloud', 'logfile' => 'nextcloud.log',

AlfredSK · June 23, 2016, 9:23pm

There is a tutorial for setting up fail2ban for owncloud at the owncloud.org forum, section owncloud community > tutorials. It works very well on oc and I think it will work on Nextcloud too.

hailthemelody · June 24, 2016, 3:31am

Thank you @AlfredSK - though I wish I had seen your message earlier! In the meantime I developed my own tutorial on GitHub (still a WIP as of this writing). I will be maintaining it as the logtype for Nextcloud is agreed upon:

riegerCLOUD · June 24, 2016, 11:30am

Hi, in the last section of my blog
nextcloud: nginx, ssl, fail2ban
you can find a very simple fail2ban solution for nextcloud based on ubuntu 16.04.
Unfortunately it is written in german but the linux commands are easy to understand even when written in german.
cheers, carsten

riegerCLOUD · June 30, 2016, 12:41pm

Now written in english

LukasReschke · June 30, 2016, 7:59pm

For the record, our next major release will very likely include a throttling as implemented in https://github.com/paragonie/airship/blob/e349a2a2143eadcfc578c05b3715a76476782e6b/src/Engine/Security/AirBrake.php

The ticket for this can be found at https://github.com/nextcloud/server/issues/270

zeugmatis · August 26, 2016, 8:31pm

Hopefully the github tutorial can make it into the NC docs as well.

jknockaert · August 28, 2016, 8:19pm

There are no NC docs.
edit: I was mistaken; I remembered correctly that there are no pdfs available, but full documentation seems to be provided as a set of html files.

mr-bolle · October 5, 2016, 6:05pm

Hi carsten, your Link doesn’t work. With the follow URL your solution is available. https://www.c-rieger.de/nextcloud-installation-guide/#sechs6

riegerCLOUD · October 5, 2016, 6:39pm

Aediu6 · March 28, 2017, 7:02am

Thank you your guide is awesome!

MichaIng · March 28, 2017, 9:18am

Hmm, since there is brute force protection baked into nextcloud, is there any advantage using fail2ban for nextcloud login on top of that?

hailthemelody · March 28, 2017, 1:22pm

The guide I created was made during a time with brute-force protection was not available in Nextcloud. I will update my guide to mention that it’s now an available option.

I have not experimented with the difference between the two (or other) solutions, though for forward-compatibility it’s probably more wise to go with Nextcloud’s implementation.

MichaIng · March 28, 2017, 3:15pm

As far as I know, the nextcloud brute force protection leads to a growing delay between failing login attempts. Fail2ban on the other hand completely blocks a certain ip, if it fails given times for a given duration. But fail2ban is configurable in allowed attempts and block duration. So theoretically both together lead to a little stricter blocking/delaying rules and work fine together (in my case). I don’t know about performance/memory usage etc. but I guess watching one log file (fail2ban) more should be not noticeable and it is anyway highly recommended for SSH.

But yeah, doubles the thing little bit now .

riegerCLOUD · March 29, 2017, 1:13pm

doubles ? yes. nevertheless: for security reasons and from my perspective

https://www.c-rieger.de/nextcloud-installation-guide/#c103
it is higly recommended!
With an effort less than 5 minutes your system is more secure…it is up to you
cheers, carsten

jksinton · March 30, 2017, 2:05am

Fail2ban blocks the untrusted IP at the interface level using a smart firewall. Once blocked via fail2ban, the untrusted IP never accesses your HTTP server, whereas the throttling built-in to NC is done at the PHP level, and thus, allows the untrusted user to access server resources, such as Apache, mysql, PHP, etc. I use both forms of brute force protection. It’s always better to have redundancy especially for brute force.