New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add fail2ban jails for ownCloud, postfix submission, roundcube, and the Mail-in-a-Box management daemon #798

Merged
merged 4 commits into from Jul 29, 2016

Conversation

Projects
None yet
3 participants
@JoshData
Member

JoshData commented Apr 13, 2016

Continuing from #767.

I added a test script but I'm not yet able to verify that the new jails are working.

# Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix and ssh
cat conf/fail2ban/jail.local \
# Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix, ssh, etc.
rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore

This comment has been minimized.

@yodax

yodax Apr 14, 2016

Collaborator

Should we do this in the upgrade script? Then we do this only once, if a user then tries to add something to jail.local it won't be removed.

@yodax

yodax Apr 14, 2016

Collaborator

Should we do this in the upgrade script? Then we do this only once, if a user then tries to add something to jail.local it won't be removed.

This comment has been minimized.

@JoshData

JoshData Apr 14, 2016

Member

Hmm I see what you mean. The migration scripts are only meant for updating things in the storage root.

@JoshData

JoshData Apr 14, 2016

Member

Hmm I see what you mean. The migration scripts are only meant for updating things in the storage root.

@yodax

This comment has been minimized.

Show comment
Hide comment
@yodax

yodax Apr 14, 2016

Collaborator

I will try to test this this weekend.

Collaborator

yodax commented Apr 14, 2016

I will try to test this this weekend.

@yodax

This comment has been minimized.

Show comment
Hide comment
@yodax

yodax Apr 18, 2016

Collaborator

Only had a few minutes here and there the past couple of days to look into this. I set up a second server next to my test box and tried running the script. I had some problems with running it without a shebang at first. Got it working by calling it directly via the python3 interpreter. It isn't able to connect to my server, might be a firewall issue.

I will have a look at this hopefully this week.

Regarding the removal of jail.local. I looked into running a hash, but the deployed file is modified with the users ip address. So we somehow have to detect that we are upgrading. We could do this later on, since currently the file is already being overwritten after every release.

Collaborator

yodax commented Apr 18, 2016

Only had a few minutes here and there the past couple of days to look into this. I set up a second server next to my test box and tried running the script. I had some problems with running it without a shebang at first. Got it working by calling it directly via the python3 interpreter. It isn't able to connect to my server, might be a firewall issue.

I will have a look at this hopefully this week.

Regarding the removal of jail.local. I looked into running a hash, but the deployed file is modified with the users ip address. So we somehow have to detect that we are upgrading. We could do this later on, since currently the file is already being overwritten after every release.

@yodax

This comment has been minimized.

Show comment
Hide comment
@yodax

yodax Apr 19, 2016

Collaborator

I am focussing on the first failing test; smtp (Ran from a separate server)

root@box:~/mailinabox# python3 tests/fail2ban.py root@OTHER_TEST_BOX
 * Restarting authentication failure monitor fail2ban
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
   ...done.
smtp_test  ...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 * not blocked!
 * Restarting authentication failure monitor fail2ban
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
   ...done.

If i run:

fail2ban-regex -v /var/log/mail.log /etc/fail2ban/filter.d/miab-postfix-submission.conf 

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/miab-postfix-submission.conf
Use         log file : /var/log/mail.log


Results
=======

Failregex: 42 total
|-  #) [# of hits] regular expression
|   1) [42] postfix/submission/smtpd.*warning.*\[<HOST>\]: .* authentication (failed|aborted)
|      REMOTE_SERVER_IP  Tue Apr 19 10:04:38 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:04:44 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:04:50 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:04:56 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:04:58 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:00 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:02 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:04 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:06 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:08 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:10 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:12 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:14 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:16 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:18 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:20 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:22 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:24 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:26 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:28 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:30 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:32 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:34 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:36 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:38 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:40 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:42 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:44 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:46 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:48 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:50 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:52 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:54 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:56 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:58 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:00 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:02 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:04 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:06 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:08 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:12 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:14 2016
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [271] MONTH Day Hour:Minute:Second
|  [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second
|  [0] Year/Month/Day Hour:Minute:Second
|  [0] Day/Month/Year Hour:Minute:Second
|  [0] Day/Month/Year2 Hour:Minute:Second
|  [0] Day/MONTH/Year:Hour:Minute:Second
|  [0] Month/Day/Year:Hour:Minute:Second
|  [0] Year-Month-Day Hour:Minute:Second[,subsecond]
|  [0] Year-Month-Day Hour:Minute:Second
|  [0] Year.Month.Day Hour:Minute:Second
|  [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
|  [0] Day-Month-Year Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
|  [0] TAI64N
|  [0] Epoch
|  [0] ISO 8601
|  [0] Hour:Minute:Second
|  [0] <Month/Day/Year@Hour:Minute:Second>
|  [0] YearMonthDay Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second
`-

Lines: 271 lines, 0 ignored, 42 matched, 229 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 229 lines

I see the hits, but no banning of the IP.

The configuration dump with fail2ban-client -d

['add', 'miab-postfix587', 'auto']
['set', 'miab-postfix587', 'usedns', 'warn']
['set', 'miab-postfix587', 'addlogpath', '/var/log/mail.log']
['set', 'miab-postfix587', 'maxretry', 20]
['set', 'miab-postfix587', 'addignoreip', '127.0.0.1/8']
['set', 'miab-postfix587', 'addignoreip', 'SERVER_IP']
['set', 'miab-postfix587', 'findtime', 30]
['set', 'miab-postfix587', 'bantime', 600]
['set', 'miab-postfix587', 'addfailregex', 'postfix/submission/smtpd.*warning.*\\[<HOST>\\]: .* authentication (failed|aborted)']
['set', 'miab-postfix587', 'addaction', 'iptables-multiport']
['set', 'miab-postfix587', 'actionban', 'iptables-multiport', 'iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>']
['set', 'miab-postfix587', 'actionstop', 'iptables-multiport', 'iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
['set', 'miab-postfix587', 'actionstart', 'iptables-multiport', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>']
['set', 'miab-postfix587', 'actionunban', 'iptables-multiport', 'iptables -D fail2ban-<name> -s <ip> -j <blocktype>']
['set', 'miab-postfix587', 'actioncheck', 'iptables-multiport', "iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \\t]'"]
['set', 'miab-postfix587', 'setcinfo', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'miab-postfix587', 'setcinfo', 'iptables-multiport', 'protocol', 'tcp']
['set', 'miab-postfix587', 'setcinfo', 'iptables-multiport', 'name', 'miab-postfix587']
['set', 'miab-postfix587', 'setcinfo', 'iptables-multiport', 'chain', 'INPUT']
['set', 'miab-postfix587', 'setcinfo', 'iptables-multiport', 'port', '587']

The effective merged configuration looks okay. I did test this manually by rentering a wrong password in Mail for MacOS. That resulted in a ban:

Every 2.0s: fail2ban-client status miab-postfix587                                                        Tue Apr 19 10:26:30 2016

Status for the jail: miab-postfix587
|- filter
|  |- File list:        /var/log/mail.log
|  |- Currently failed: 0
|  `- Total failed:     30
`- action
   |- Currently banned: 1
   |  `- IP list:       MY_HOME_IP
   `- Total banned:     1

It does hit 2 tries with every login, there are indistinguishable items in the log. I also compared the log items for the test script with the manual test and I couldn't detect any differences.

So the filter does work with a manual test, but not with the script. Which of course is not good enough. I will try to have a look. I suspect it could be a timing issue. Time is a bit more limited this week though.

Collaborator

yodax commented Apr 19, 2016

I am focussing on the first failing test; smtp (Ran from a separate server)

root@box:~/mailinabox# python3 tests/fail2ban.py root@OTHER_TEST_BOX
 * Restarting authentication failure monitor fail2ban
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
   ...done.
smtp_test  ...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 * not blocked!
 * Restarting authentication failure monitor fail2ban
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
   ...done.

If i run:

fail2ban-regex -v /var/log/mail.log /etc/fail2ban/filter.d/miab-postfix-submission.conf 

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/miab-postfix-submission.conf
Use         log file : /var/log/mail.log


Results
=======

Failregex: 42 total
|-  #) [# of hits] regular expression
|   1) [42] postfix/submission/smtpd.*warning.*\[<HOST>\]: .* authentication (failed|aborted)
|      REMOTE_SERVER_IP  Tue Apr 19 10:04:38 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:04:44 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:04:50 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:04:56 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:04:58 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:00 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:02 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:04 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:06 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:08 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:10 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:12 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:14 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:16 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:18 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:20 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:22 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:24 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:26 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:28 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:30 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:32 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:34 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:36 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:38 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:40 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:42 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:44 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:46 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:48 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:50 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:52 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:54 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:56 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:05:58 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:00 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:02 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:04 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:06 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:08 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:12 2016
|      REMOTE_SERVER_IP  Tue Apr 19 10:06:14 2016
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [271] MONTH Day Hour:Minute:Second
|  [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second
|  [0] Year/Month/Day Hour:Minute:Second
|  [0] Day/Month/Year Hour:Minute:Second
|  [0] Day/Month/Year2 Hour:Minute:Second
|  [0] Day/MONTH/Year:Hour:Minute:Second
|  [0] Month/Day/Year:Hour:Minute:Second
|  [0] Year-Month-Day Hour:Minute:Second[,subsecond]
|  [0] Year-Month-Day Hour:Minute:Second
|  [0] Year.Month.Day Hour:Minute:Second
|  [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
|  [0] Day-Month-Year Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
|  [0] TAI64N
|  [0] Epoch
|  [0] ISO 8601
|  [0] Hour:Minute:Second
|  [0] <Month/Day/Year@Hour:Minute:Second>
|  [0] YearMonthDay Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second
`-

Lines: 271 lines, 0 ignored, 42 matched, 229 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 229 lines

I see the hits, but no banning of the IP.

The configuration dump with fail2ban-client -d

['add', 'miab-postfix587', 'auto']
['set', 'miab-postfix587', 'usedns', 'warn']
['set', 'miab-postfix587', 'addlogpath', '/var/log/mail.log']
['set', 'miab-postfix587', 'maxretry', 20]
['set', 'miab-postfix587', 'addignoreip', '127.0.0.1/8']
['set', 'miab-postfix587', 'addignoreip', 'SERVER_IP']
['set', 'miab-postfix587', 'findtime', 30]
['set', 'miab-postfix587', 'bantime', 600]
['set', 'miab-postfix587', 'addfailregex', 'postfix/submission/smtpd.*warning.*\\[<HOST>\\]: .* authentication (failed|aborted)']
['set', 'miab-postfix587', 'addaction', 'iptables-multiport']
['set', 'miab-postfix587', 'actionban', 'iptables-multiport', 'iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>']
['set', 'miab-postfix587', 'actionstop', 'iptables-multiport', 'iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
['set', 'miab-postfix587', 'actionstart', 'iptables-multiport', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>']
['set', 'miab-postfix587', 'actionunban', 'iptables-multiport', 'iptables -D fail2ban-<name> -s <ip> -j <blocktype>']
['set', 'miab-postfix587', 'actioncheck', 'iptables-multiport', "iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \\t]'"]
['set', 'miab-postfix587', 'setcinfo', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'miab-postfix587', 'setcinfo', 'iptables-multiport', 'protocol', 'tcp']
['set', 'miab-postfix587', 'setcinfo', 'iptables-multiport', 'name', 'miab-postfix587']
['set', 'miab-postfix587', 'setcinfo', 'iptables-multiport', 'chain', 'INPUT']
['set', 'miab-postfix587', 'setcinfo', 'iptables-multiport', 'port', '587']

The effective merged configuration looks okay. I did test this manually by rentering a wrong password in Mail for MacOS. That resulted in a ban:

Every 2.0s: fail2ban-client status miab-postfix587                                                        Tue Apr 19 10:26:30 2016

Status for the jail: miab-postfix587
|- filter
|  |- File list:        /var/log/mail.log
|  |- Currently failed: 0
|  `- Total failed:     30
`- action
   |- Currently banned: 1
   |  `- IP list:       MY_HOME_IP
   `- Total banned:     1

It does hit 2 tries with every login, there are indistinguishable items in the log. I also compared the log items for the test script with the manual test and I couldn't detect any differences.

So the filter does work with a manual test, but not with the script. Which of course is not good enough. I will try to have a look. I suspect it could be a timing issue. Time is a bit more limited this week though.

@yodax

This comment has been minimized.

Show comment
Hide comment
@yodax

yodax Apr 24, 2016

Collaborator

schermafbeelding 2016-04-24 om 08 25 52

I have no idea what is going on here. Running a manual test as stated before does give an ip ban, but a run from @JoshData test script does not. I twiddled with the delays and the number of calls. Fail2ban does register all the calls (double even, because each login results in 2 log lines) but doesn't ban. (See screenshot)

A google quest suggested to try:

  • Actually stop and start fail2ban as opposed to restart
  • Restart the syslog
  • Look at the merged config
  • Check the regexes

I tried all of the above.

def restart_fail2ban_service():
        # Log in over SSH to restart fail2ban.
        os.system("ssh %s@%s sudo service fail2ban stop"
                % (ssh_user, hostname))
        os.system("ssh %s@%s sudo service fail2ban start"
                % (ssh_user, hostname))
        os.system("ssh %s@%s sudo service rsyslog restart"
                % (ssh_user, hostname))

@anoma @JoshData do you have any ideas? Because only protecting against manually failed logins isn't actually something we want 😛 quite the opposite...

Collaborator

yodax commented Apr 24, 2016

schermafbeelding 2016-04-24 om 08 25 52

I have no idea what is going on here. Running a manual test as stated before does give an ip ban, but a run from @JoshData test script does not. I twiddled with the delays and the number of calls. Fail2ban does register all the calls (double even, because each login results in 2 log lines) but doesn't ban. (See screenshot)

A google quest suggested to try:

  • Actually stop and start fail2ban as opposed to restart
  • Restart the syslog
  • Look at the merged config
  • Check the regexes

I tried all of the above.

def restart_fail2ban_service():
        # Log in over SSH to restart fail2ban.
        os.system("ssh %s@%s sudo service fail2ban stop"
                % (ssh_user, hostname))
        os.system("ssh %s@%s sudo service fail2ban start"
                % (ssh_user, hostname))
        os.system("ssh %s@%s sudo service rsyslog restart"
                % (ssh_user, hostname))

@anoma @JoshData do you have any ideas? Because only protecting against manually failed logins isn't actually something we want 😛 quite the opposite...

add fail2ban jails for ownCloud, postfix submission, roundcube, and t…
…he Mail-in-a-Box management daemon

(tests squashed into this commit by josh)
@JoshData

This comment has been minimized.

Show comment
Hide comment
@JoshData

JoshData Jun 6, 2016

Member

Rebased and updated the test script. The test script verifies that the SMTP subsmission, IMAP, management daemon, and munin tests are working. I didn't spend time on the ownCloud test.

Member

JoshData commented Jun 6, 2016

Rebased and updated the test script. The test script verifies that the SMTP subsmission, IMAP, management daemon, and munin tests are working. I didn't spend time on the ownCloud test.

@JoshData

This comment has been minimized.

Show comment
Hide comment
@JoshData

JoshData Jun 6, 2016

Member

Also, my home machine got blocked by recidive a few times during testing. Be careful.

Member

JoshData commented Jun 6, 2016

Also, my home machine got blocked by recidive a few times during testing. Be careful.

@yodax

This comment has been minimized.

Show comment
Hide comment
@yodax

yodax Jun 6, 2016

Collaborator

@JoshData did you push the commits? I don't see the changes.

Collaborator

yodax commented Jun 6, 2016

@JoshData did you push the commits? I don't see the changes.

@JoshData

This comment has been minimized.

Show comment
Hide comment
@JoshData

JoshData Jun 6, 2016

Member

I force-pushed to the branch, so the PR is updated in place.

Member

JoshData commented Jun 6, 2016

I force-pushed to the branch, so the PR is updated in place.

Show outdated Hide outdated tests/fail2ban.py
# Mail-in-a-Box contorl panel
run_test(http_test, ["/admin/me", 200], 20, 30, 1)
# Munin via the Mail-in-a-Box contorl panel

This comment has been minimized.

@yodax

yodax Jun 7, 2016

Collaborator

Small typo here: contorl

@yodax

yodax Jun 7, 2016

Collaborator

Small typo here: contorl

@yodax

This comment has been minimized.

Show comment
Hide comment
@yodax

yodax Jun 7, 2016

Collaborator

Thanks for the work!

I did a diff against my local copy to see the changes. It makes sense to check for a refused connection. I will run a test on one of my domains (hopefully soon). I can try to look into testing owncloud.

Collaborator

yodax commented Jun 7, 2016

Thanks for the work!

I did a diff against my local copy to see the changes. It makes sense to check for a refused connection. I will run a test on one of my domains (hopefully soon). I can try to look into testing owncloud.

@yodax

This comment has been minimized.

Show comment
Hide comment
@yodax

yodax Jun 10, 2016

Collaborator

When i change the own cloud line to:

run_test(http_test, ["/cloud/remote.php/webdav", 401, None, None, ["aa", "aa"]], 20, 30, 1)

It triggers a log line and records a failed login. However I have to increase the timeout somewhat. Also even though fail2ban sees the failed login, it doesn't proceed with the ban.

To do the other login prompts (if that is desired) we would need to craft post data. I verified that that gives the same log messages though. What do you prefer @JoshData? We would be testing the own cloud login system.

The same probably goes for the miab panel. Also has two ways of authenticating.

Collaborator

yodax commented Jun 10, 2016

When i change the own cloud line to:

run_test(http_test, ["/cloud/remote.php/webdav", 401, None, None, ["aa", "aa"]], 20, 30, 1)

It triggers a log line and records a failed login. However I have to increase the timeout somewhat. Also even though fail2ban sees the failed login, it doesn't proceed with the ban.

To do the other login prompts (if that is desired) we would need to craft post data. I verified that that gives the same log messages though. What do you prefer @JoshData? We would be testing the own cloud login system.

The same probably goes for the miab panel. Also has two ways of authenticating.

@JoshData

This comment has been minimized.

Show comment
Hide comment
@JoshData

JoshData Jun 12, 2016

Member

The more tests the better, but I'll merge as soon as we figure out how to get it to ban any of the ownCloud login paths.

Member

JoshData commented Jun 12, 2016

The more tests the better, but I'll merge as soon as we figure out how to get it to ban any of the ownCloud login paths.

@ChiefGyk

This comment has been minimized.

Show comment
Hide comment
@ChiefGyk

ChiefGyk Jun 24, 2016

Would it make sense to add nginx and nginx-badbots jails as well?
I added some jails for it on my MiaB, and are they of any use, or just redundant/not useful for the already mentioned filters? I wrote about it here #866

Would it make sense to add nginx and nginx-badbots jails as well?
I added some jails for it on my MiaB, and are they of any use, or just redundant/not useful for the already mentioned filters? I wrote about it here #866

ChiefGyk added a commit to ChiefGyk/mailinabox that referenced this pull request Jun 26, 2016

yodax added some commits Jun 26, 2016

Owncloud needs more time to detect blocks. It doesn't respond as fast…
… as the other services. Also owncloud logs UTC (since latest update) even though the timezone is not UTC. Also to detect a block, we get a timeout instead of a refused)
Remove owncloud log configuration from initial setup and only apply i…
…t during the configuration updates. This applies to both the timezone and the log format

@yodax yodax referenced this pull request Jul 28, 2016

Closed

Fix ownlcoud fail2ban jail #868

@JoshData

This comment has been minimized.

Show comment
Hide comment
@JoshData

JoshData Jul 29, 2016

Member

I've been using this PR on my box for a while and haven't seen any problems, so merging. Thanks!

Member

JoshData commented Jul 29, 2016

I've been using this PR on my box for a while and haven't seen any problems, so merging. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment