Fail2ban for Owncloud: Brute force prevention and alerting

In this guide, I will show you how to configure your ownCloud server so that brute force attacks are one less thing to worry about. Not only will fail2ban block someone from having X number of failed login attempts to your ownCloud server, it will also notify you via pushbullet that an attempt has been blocked.

So lets begin!

Step 1: Install fail2ban and ownCloud filters

Following this excellent guide here (src: https://github.com/AykutCevik/owncloud-fail2ban) you can have fail2ban and ownCloud filters configured in no time. Simply run the command:

.. and follow the instructions. Make sure you enter the logfile path correctly; i.e. /var/log/owncloud.log, or /var/www/owncloud/owncloud.log, etc.

Once configured, this will add two main files of interest:

The first, ‘/filter.d/’, is the regex that fail2ban will use to parse your specified ownCloud log for failed login attempts.

The second, ‘/jail.d/’, tells fail2ban to actively use that filter, what port to monitor on, and the logpath (edit the logpath here if you entered it wrong during setup).

The logfile, /var/log/owncloud.log (for example) must log using a few specifics. To set these specifics, crack open your config.php (i.e. /var/www/owncloud/config/config.php) and set the following directives:

Make sure that you have the logtimezone set to your local timezone, otherwise fail2ban wont work.

.. and thats fail2ban setup. So how does it work?

Fail2ban will create a new iptables chain called ‘f2b-owncloud’, which is visible if you run ‘iptables -nL –lin’ as below:

Basically, iptables will detect if traffic has come into the server on the port specified earlier (https), and will direct all traffic to the new chain ‘f2b-owncloud’. When fail2ban detects an IP has had 5 failed logins, it will then add a iptables REJECT rule for that specific IP, at the top of the f2b-owncloud chain. This means that the IP will be rejected, but all other traffic will pass.

Obviously this means that HTTPS traffic will bypass all other iptables rules in your INPUT chain as it is being diverted to the f2b-owncloud chain, so ensure you add your rules to that chain also, i.e.:

Using ipset, I only allow GB IP addresses access to HTTPS, so I’ve had to add this rule to the f2b-owncloud chain, along with a REJECT all. Now when fail2ban bans an IP, it’ll get added to the top. The flow will be then be:

  1. Is the source IP banned? If yes, then reject, if not ..
  2. Is the source IP from the GB IP range? If no, then reject, if yes, then allow.
  3. Reject everything else.

Step 2: Testing

Next we need to test that fail2ban will actually block the malicious IP. Simply attempt some invalid logins, and then run the command ‘fail2ban-client status owncloud’:

Here you can see you have now been banned from accessing the ownCloud server via HTTPS. You can confirm this via iptables -nl –lin:

You should now be unable to access your owncloud server. To unban yourself, simply run:

Where 134.. is your IP. If your not being being, double check the regex is valid and picking up your logs correctly using the command:

This should show an output similar to the below:

If you have issues, double check your /var/log/fail2ban.log. If you see an error like the below, then double check the config.php file for your owncloud server:

I saw this issue when I had a specific ‘logdateformat’ entry in config.php. Simply removing this entry solved my problem.

Step 3: Notifications

Now that fail2ban is actively blocking brute force attackers, we want to be notified about it. Doing this is rather simple, thanks to this excellent guide here (src: http://blog.meinside.pe.kr/How-to-get-Pushbullet-notification-on-Fail2ban-ban-actions/).

Firstly, install Go:

Next, setup your users .bashrc profile to contain the necessary paths by adding the following lines to ~/.bashrc:

Next, download the pushbullet-fail2ban.go code:

Next, edit that file and enter your pushbullet API key (to find out your key, visit: https://www.pushbullet.com/account 

Find the line ‘MyPushbulletToken = ‘ ‘ and add your API key within the quotes (no spaces at the start or end).

Once done, build the notification script:

This will leave you with a file called ‘pushbullet-fail2ban’. Move this file to /etc/fail2ban/ using the command:

Next, test that the notification works using the command:

You should get an alert on your mobile phone similar to:

38786f12-83c7-11e5-95b4-f431a84c53d9

Next, we need to modify fail2ban to use this new pushbullet-fail2ban method. To do this, simply copy the method fail2ban uses to ban IP’s using iptables, and edit the copied method:

Within this file, find the line ‘actionban =’ and replace it with the following:

 

Next, lets tell fail2ban to use this new method and not the existing ‘iptables-multiport.conf’. Edit the file /etc/fail2ban/jail.conf:

.. and amend the line ‘banaction’ (line 157) to look like:

And thats it. Simply restart fail2ban, update your iptables rules (if you have modified them as per my step 1) and your fail2ban protected owncloud is now ready:

Next time a naughty hacker tries to brute force your box, you’ll get a push notification similar to:

Screenshot 2016-01-13 11.23.49

Notes

My iptables rules for fail2ban/owncloud look like the below:

These rules send all HTTPS traffic to the f2b-owncloud chain, and then the HTTPS traffic is parsed through that traffic. I have an ipset rule here, and then a reject to end the chain. Hope this helps!

Leave a Reply