This is just a little script that installs and configures Fail2Ban to work with NextCloud.

Fail2Ban will monitor your personal cloud for brute force attacks and block the IP after a number of bad login attempts.

Features

SSH jail

Nextcloud login jail

6 bad login attempts will block the IP for 10 minutes by default.

Installation

Get it already made

I have included this in the latest release of my NextCloudPi, a ready to use Raspbian 8 image featuring NextCloud 11, HTTP2, PHP7 and more.

Do it yourself

First, clone the repo

git clone https://github.com/nachoparker/nextcloud-raspbian-generator.git

Then, there are two options.

Online installation

SSH into your Raspberry Pi, copy the fail2ban.sh into it, and run

./fail2ban.sh

, or you can do all that in one command

cat fail2ban.sh | ssh pi@192.168.0.145 # adjust the IP to your Raspberry Pi

Offline installation (using QEMU)

This is based on Raspbian on QEMU with network access.

Extract the SD card and copy the image to your computer (adjust sdx).

sudo dd if=/dev/sdx of=my_rpi.img bs=4M

Then,

./install-fail2ban.sh my_rpi.img 192.168.0.145

Once done, you can copy it back (adjust sdx).

sudo dd if=my_rpi.img if=/dev/sdx bs=4M

Configuration

Before installation, you can configure the following variables at the top of fail2ban.sh

NCLOG=/var/www/nextcloud/data/nextcloud.log # location of Nextcloud logs BANTIME=600 # time to ban an IP that exceeded attempts FINDTIME=600 # cooldown time for incorrect passwords MAXRETRY=6 # bad attempts before banning an IP

After installation, you can change those values in /etc/fail2ban/jail.conf, and then issue

sudo fail2ban-client reload

Usage

You can check the status of each jail. Works the same way for the ssh jail.

$ sudo fail2ban-client status nextcloud Status for the jail: nextcloud |- filter | |- File list: /var/www/nextcloud/data/nextcloud.log | |- Currently failed: 1 | `- Total failed: 8 `- action |- Currently banned: 1 | `- IP list: 192.168.0.100 `- Total banned: 1

Should you want to unblock and IP you can type ( adjust IP )

sudo fail2ban-client set nextcloud unbanip 192.168.0.100

From NC 11, there is a basic brute force protection for logins, but it is still hard to do things like whitelist or unban an IP ( see link ).

We can activate it or deactivate it with this line of configuration

'auth.bruteforce.protection.enabled' => false,

Code

#!/bin/bash # Fail2ban installation script for Raspbian # Tested with 2017-01-11-raspbian-jessie.img (and lite) # # Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com> # GPL licensed (see end of file) * Use at your own risk! # # Usage: # cat install-fail2ban.sh | sshpass -praspberry ssh pi@$IP # # , or scp this file to a Raspberry Pi and run it from Raspbian # # ./fail2ban.sh # # See the variables on the top of the script for tweaking sudo su NCLOG=/var/www/nextcloud/data/nextcloud.log # location of Nextcloud logs BANTIME=600 # time to ban an IP that exceeded attempts FINDTIME=600 # cooldown time for incorrect passwords MAXRETRY=6 # bad attempts before banning an IP set -x set -e # INSTALLATION ########################################## apt-get update apt-get install fail2ban -y touch /var/www/nextcloud/data/nextcloud.log chown -R www-data /var/www/nextcloud/data cd /var/www/nextcloud sudo -u www-data php occ config:system:set loglevel --value=2 sudo -u www-data php occ config:system:set log_type --value=file sudo -u www-data php occ config:system:set logfile --value=$NCLOG cat > /etc/fail2ban/filter.d/nextcloud.conf <<'EOF' [INCLUDES] before = common.conf [Definition] failregex = Login failed.*Remote IP.*'<HOST>' ignoreregex = EOF cat > /etc/fail2ban/jail.conf <<EOF # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = $BANTIME # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = $FINDTIME maxretry = $MAXRETRY # # ACTIONS # banaction = iptables-multiport protocol = tcp chain = INPUT action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action = %(action_)s # # SSH # [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = $MAXRETRY # # HTTP servers # [nextcloud] enabled = true port = http,https filter = nextcloud logpath = $NCLOG maxretry = $MAXRETRY EOF # CLEANUP ########################################## apt-get autoremove -y apt-get clean rm /var/lib/apt/lists/* -r rm -f /home/pi/.bash_history systemctl disable ssh halt # License # # This script is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This script is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this script; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, # Boston, MA 02111-1307 USA

Tested in Nextcloud 11 running in Raspbian 8.

References

https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04

https://github.com/hailthemelody/nextcloud-fail2ban

https://docs.nextcloud.com/server/11/admin_manual/configuration_server/config_sample_php_parameters.html

http://www.fail2ban.org/wiki/index.php/MANUAL_0_8