Document fail2ban setup

[dragotin]

A fail2ban setup was discussed on central.o.o: https://central.owncloud.org/t/brute-force-protection-for-user-logins/41568

It would be nice to have that mentioned as extra hardening for example as addition to the "Small-Scale Deployment with systemd".

[mmattel]

@dragotin can we have a discussion to clarify some stuff, I have some ideas...

[mmattel]

Closing via #427

[simone-viozzi]

Hi, is the fail2ban documentation up to date with the latest version of ocis? 3.0.0
I followed the guide, but I can't find the "invalid credentials" in the logs, so the jail is not working at all.

[mmattel]

@simone-viozzi thanks for your feedback. As noted in the document:

...
The content has been extracted and adapted from Central, our community page, and is without any claim for correctness and eligibility for support, though feedback is welcomed.
...

Let us know the message if you have tested it. We are checking in the meanwhile too.

[simone-viozzi]

Hi, here are some logs of failed logins attempt:

{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000579","remote-addr":"151.81.252.241","method":"GET","status":200,"path":"/signin/v1/static/favicon.ico","duration":1.874437,"bytes":15086,"time":"2023-07-20T10:32:56.881855774Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000581","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":158.227293,"bytes":0,"time":"2023-07-20T10:33:01.46935878Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000583","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":186.598918,"bytes":0,"time":"2023-07-20T10:33:08.649988892Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000585","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":155.859626,"bytes":0,"time":"2023-07-20T10:33:09.492626117Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000587","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":245.744327,"bytes":0,"time":"2023-07-20T10:33:10.399507689Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000589","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":156.853749,"bytes":0,"time":"2023-07-20T10:33:11.0874848Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000591","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":184.348916,"bytes":0,"time":"2023-07-20T10:33:11.819599965Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000593","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":164.127284,"bytes":0,"time":"2023-07-20T10:33:12.662943363Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000595","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":127.757209,"bytes":0,"time":"2023-07-20T10:33:13.360720867Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000597","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":157.803878,"bytes":0,"time":"2023-07-20T10:33:14.00692201Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000599","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":243.000888,"bytes":0,"time":"2023-07-20T10:33:14.679202108Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000601","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":155.84995,"bytes":0,"time":"2023-07-20T10:33:17.963432829Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000603","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":183.551865,"bytes":0,"time":"2023-07-20T10:33:18.359297692Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000605","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":159.60439,"bytes":0,"time":"2023-07-20T10:33:18.794718217Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000607","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":224.941435,"bytes":0,"time":"2023-07-20T10:33:19.421798532Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000609","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":157.173032,"bytes":0,"time":"2023-07-20T10:33:19.941321918Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000611","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":185.437506,"bytes":0,"time":"2023-07-20T10:33:20.322303996Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"99814c75e8aa/0feowbrgJx-000613","remote-addr":"151.81.252.241","method":"POST","status":204,"path":"/signin/v1/identifier/_/logon","duration":167.799979,"bytes":0,"time":"2023-07-20T10:33:20.789403668Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:28","message":"access-log"}

To get those, I used:

tail -f logs/ocis.log | grep -C 5 --line-buffered "151.81.252.241"

Where the IP is the IP from which I'm failing to log in.

As you can see, there is no "message":"invalid credentials" in the logs.

[mmattel]

Thanks, the lines provided are not sufficient, docs says:

The log for a failed login attempt looks like this and consists of two consecutive log entries:

Means on lines provided, there must be at lease one line directly above having "message":"invalid credentials" to match the failregex. Only the consecutive log line combination counts.

[simone-viozzi]

grep -C 5 will print 5 lines above the matched line and 5 lines below.
Also, using grep "invalid credentials" gets nothing.

[mmattel]

We just tested a failed login and we got the invalid credentials log entry?

{"level":"error","service":"idm","bind_dn":"uid=admin,ou=users,o=libregraph-idm","op":"bind","remote_addr":"127.0.0.1:52434","time":"2023-07-20T14:30:42.630414923+05:45","line":"/mnt/workspace/owncloud/ocis/ocis-pkg/log/logrus_wrapper.go:50","message":"invalid credentials"}

[mmattel]

The regex part ((.|\n)*) matches arbitrary log lines after "message":"invalid credentials"
up to next matches starting with remote-addr + more necessary identifyers.
Maybe you have more lines inbetween?

I will clarify the regex part ((.|\n)*) in more detail as I see that this helps understanding.

[simone-viozzi]

We just tested a failed login and we got the invalid credentials log entry?

Oh, I don't have those.

I will open an issue on the OCIS repo to ask why I don't have the "invalid credentials" log messages.

Thank you.