What: Configure fail2ban to watch the failed logins of your ownCloud instance
Source: Collected from: https://forum.owncloud.org/viewtopic.php?f=31&t=26336
Target: Tested on ownCloud 8.0.3, 8.1.0, 8.2.0 and 9.0.0 on Debian (Jessie)
How:
- Create a file /etc/fail2ban/filter.d/owncloud.conf with the following content:
oC 8.2.0 + 9.0.0
[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
ignoreregex =
oC 8.1.0
[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*"}
ignoreregex =
oC 8.0.3
[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}
ignoreregex =
- Edit /etc/fail2ban/jail.local and insert:
[owncloud]
enabled = true
filter = owncloud
# select http, https or both, depending on which you use:
port = http,https
# edit the logpath to your needs:
logpath = /var/www/owncloud/data/owncloud.log
- If your system is not running on UTC make sure the following config/config.php option is matching the timezone of your system:
- (Optional) When running OC 7.0.1 or below make sure the following config/config.php option is set to true:
- Restart fail2ban
service fail2ban restart
- Bonus
You can test your fail2ban setup like:
fail2ban-regex /var/www/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud.conf -v
Example Logfiles:
oC 9.0.0 with default loglevel 2
{"reqId":"wlioIFa6pOvt6DIAoeHE","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2016-04-12T22:28:20+02:00","method":"POST","url":"\/","user":"--"}
oC 8.2.0 with default loglevel 2
{"reqId":"prLlx9+QIfl1jHtz9C5o","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2015-07-08T12:12:41+02:00"}
oC 8.2.0 with loglevel 0
{"reqId":"wLP7a3MdzTo8wgCWret9","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2015-07-15T09:40:35+02:00","method":"POST","url":"\/"}
oC 8.1.0 with default loglevel 2
{"reqId":"prLlx9+QIfl1jHtz9C5o","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1)","level":2,"time":"2015-07-08T12:12:41+02:00"}
oC 8.1.0 with loglevel 0
{"reqId":"wLP7a3MdzTo8wgCWret9","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1)","level":2,"time":"2015-07-15T09:40:35+02:00","method":"POST","url":"\/"}
OC 8.0.3 with default loglevel 2
{"reqId":"f7906a8355f496e3a1947d7839c4a2c3","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:17:43+00:00"}
OC 8.0.3 with loglevel 0
{"reqId":"9f8edc5558b2b4f8628663d83a092a7f","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:19:02+00:00","method":"POST","url":"\/cloud\/index.php"}
OC 7.0.5 with default loglevel 2
{"app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:16:29+00:00"}
OC 7.0.5 with loglevel 0
{"reqId":"5576a04643d8e","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:13:58+00:00","method":"POST","url":"\/owncloud\/index.php"}
OC 7.0.1 with default loglevel 2
{"app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:10:29+00:00"}
OC 7.0.1 with loglevel 0
{"reqId":"55769fcacd1e0","app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:11:54+00:00","method":"POST","url":"\/owncloud\/index.php"}