{"id":45,"date":"2014-11-01T20:18:00","date_gmt":"2014-11-01T20:18:00","guid":{"rendered":"https:\/\/www.tech-and-dev.com\/blog\/2014\/11\/01\/protecting-owncloud-against-bruteforce-attacks-with-fail2ban\/"},"modified":"2021-02-22T01:02:57","modified_gmt":"2021-02-22T01:02:57","slug":"protecting-owncloud-against-bruteforce-attacks-with-fail2ban","status":"publish","type":"post","link":"https:\/\/www.tech-and-dev.com\/blog\/2014\/11\/protecting-owncloud-against-bruteforce-attacks-with-fail2ban.html","title":{"rendered":"Protecting Owncloud Against Bruteforce Attacks With Fail2ban"},"content":{"rendered":"
\n
<\/a><\/div>\n
<\/div>\n
OwnCloud is a great web application that can be installed on a server and allows the sync & share of files, music, movies, calendar and contacts. However, one weakness that ownCloud users face is a brute force attack against the login page.<\/div>\n
<\/div>\n
Fail2Ban is a software that scan logs for malicious behaviors and update the firewall rules by banning IPs for a specified amount of time.<\/div>\n

<\/a><\/p>\n

Requirements:<\/h2>\n
    \n
  1. OwnCloud 7.0.2 or higher installed<\/li>\n
  2. Fail2Ban installed<\/li>\n<\/ol>\n

    1- Configuring Fail2Ban<\/h2>\n

    Copy Fail2Ban configuration file, never use jail.conf, it will get overwritten when fail2ban is updated.<\/p>\n

    cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local<\/p><\/blockquote>\n

    <\/div>\n

    2- Open the configuration file:<\/h2>\n

    vi \/etc\/fail2ban\/jail.local<\/p><\/blockquote>\n

    Append at the end of the file:<\/p>\n

    #OwnCloud
    \n[owncloud]
    \nenabled\u00a0 = true
    \nfilter\u00a0\u00a0 = owncloud
    \naction = iptables-multiport[name=owncloud, port=”http,https”]
    \nlogpath\u00a0 = \/home\/yourusername\/public_html\/data\/owncloud.log
    \nmaxretry = 5<\/p><\/blockquote>\n

    enabled:<\/b> Should be set to true for fail2ban to ban the offending IPs.
    \nfilter: <\/b>the filter filename, which will be created in the next step.
    \naction:<\/b> the action that will be taken when the maximum number of failed logins is reached. In this example, we’re blocking both the http and https port (port 80 and 443 by default).
    \nlogpath:<\/b> the path to owncloud log file. As of ownCloud 7.0.2, the log file is automatically created in the data directory. If you’re using an older version of ownCloud that doesn’t create a logfile, you can create log file and add it to the logpath. For example:
    \nvi \/var\/log\/owncloud.log
    \nchown oc:oc owncloud.log
    \nmaxretry:<\/b> the allowed number of failed login attempts before fail2ban bans the IP.<\/p>\n

     <\/p>\n

    3- Create a filter for ownCloud and add the following inside it:<\/h2>\n

    For Owncloud 7<\/h3>\n

    vi \/etc\/fail2ban\/filter.d\/owncloud.conf<\/p><\/blockquote>\n

    [Definition]
    \nfailregex={“app”:”core”,”message”:”Login failed: ‘.*’ (Remote IP: ‘<HOST>’, X-Forwarded-For: ‘.*’)”,”level”:2,”time”:”.*”}
    \nignoreregex =<\/p><\/blockquote>\n

    For Owncloud 8<\/h3>\n

    vi \/etc\/fail2ban\/filter.d\/owncloud.conf<\/p><\/blockquote>\n

    [Definition]
    \nfailregex={“reqId”:”.*”,”remoteAddr”:”.*”,”app”:”core”,”message”:”Login failed: ‘.*’ (Remote IP: ‘<HOST>’, X-Forwarded-For: ‘.*’)”,”level”:2,”time”:”.*”}
    \nignoreregex =<\/p><\/blockquote>\n

     <\/p>\n

    4- Setting ownCloud log file<\/h2>\n

    Go to ownCloud<\/b>, click on your username <\/b>on top right, go to Admin<\/b> section, scroll down to the Log<\/b> section and choose: warnings, errors and fatal issues<\/b>.<\/p>\n

    <\/a><\/div>\n

     <\/p>\n

    5- Restart fail2ban<\/h2>\n

    service fail2ban restart<\/p><\/blockquote>\n

    Fail2ban should now ban all the IPs that are failing the login 5 times.<\/p>\n

    Have Any Questions? Please let me know! <\/b><\/p>\n

     <\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    OwnCloud is a great web application that can be installed on a server and allows the sync & share of files, music, movies, calendar and contacts. However, one weakness that ownCloud users face is a brute force attack against the login page. Fail2Ban is a software that scan logs for malicious behaviors and update the […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[23,25,6,7],"tags":[],"class_list":["post-45","post","type-post","status-publish","format-standard","hentry","category-brute-force","category-fail2ban","category-linux","category-ssh"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/45","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/comments?post=45"}],"version-history":[{"count":2,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/45\/revisions"}],"predecessor-version":[{"id":283,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/45\/revisions\/283"}],"wp:attachment":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/media?parent=45"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/categories?post=45"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/tags?post=45"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}