Fail2ban and ownCloud 8.x + 9.0.x


#1

What: Configure fail2ban to watch the failed logins of your ownCloud instance

Source: Collected from: https://forum.owncloud.org/viewtopic.php?f=31&t=26336

Target: Tested on ownCloud 8.0.3, 8.1.0, 8.2.0 and 9.0.0 on Debian (Jessie)

How:

  1. Create a file /etc/fail2ban/filter.d/owncloud.conf with the following content:

oC 8.2.0 + 9.0.0

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
ignoreregex =

oC 8.1.0

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*"}
ignoreregex =

oC 8.0.3

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}
ignoreregex =
  1. Edit /etc/fail2ban/jail.local and insert:

[owncloud]
enabled = true
filter  = owncloud
# select http, https or both, depending on which you use:
port    =  http,https
# edit the logpath to your needs:
logpath = /var/www/owncloud/data/owncloud.log
  1. If your system is not running on UTC make sure the following config/config.php option is matching the timezone of your system:
  1. (Optional) When running OC 7.0.1 or below make sure the following config/config.php option is set to true:
  1. Restart fail2ban

service fail2ban restart

  1. Bonus

You can test your fail2ban setup like:

fail2ban-regex /var/www/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud.conf -v

Example Logfiles:

oC 9.0.0 with default loglevel 2

{"reqId":"wlioIFa6pOvt6DIAoeHE","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2016-04-12T22:28:20+02:00","method":"POST","url":"\/","user":"--"}

oC 8.2.0 with default loglevel 2

{"reqId":"prLlx9+QIfl1jHtz9C5o","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2015-07-08T12:12:41+02:00"}

oC 8.2.0 with loglevel 0

{"reqId":"wLP7a3MdzTo8wgCWret9","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2015-07-15T09:40:35+02:00","method":"POST","url":"\/"}

oC 8.1.0 with default loglevel 2

{"reqId":"prLlx9+QIfl1jHtz9C5o","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1)","level":2,"time":"2015-07-08T12:12:41+02:00"}

oC 8.1.0 with loglevel 0

{"reqId":"wLP7a3MdzTo8wgCWret9","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1)","level":2,"time":"2015-07-15T09:40:35+02:00","method":"POST","url":"\/"}

OC 8.0.3 with default loglevel 2

{"reqId":"f7906a8355f496e3a1947d7839c4a2c3","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:17:43+00:00"}

OC 8.0.3 with loglevel 0

{"reqId":"9f8edc5558b2b4f8628663d83a092a7f","remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:19:02+00:00","method":"POST","url":"\/cloud\/index.php"}

OC 7.0.5 with default loglevel 2

{"app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:16:29+00:00"}

OC 7.0.5 with loglevel 0

{"reqId":"5576a04643d8e","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:13:58+00:00","method":"POST","url":"\/owncloud\/index.php"}

OC 7.0.1 with default loglevel 2

{"app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:10:29+00:00"}

OC 7.0.1 with loglevel 0

{"reqId":"55769fcacd1e0","app":"core","message":"Login failed: user 'admin' , wrong password, IP:127.0.0.1","level":2,"time":"2015-06-09T08:11:54+00:00","method":"POST","url":"\/owncloud\/index.php"}

Fail2ban and OC 10
Security suggestion: Why not block login after several false login attempts?
Owncloud 9.1.5 with fail2ban ceased working
Fail2ban and owncloud.log file permissions
#2

#3

Great! We started to also cover this in the documentation now:
https://doc.owncloud.com/server/10.0/admin_manual/configuration_server/harden_server.html#use-fail2ban
Happy for any additions!