Owncloud 9.1.5 with fail2ban ceased working

hosting

#1

Steps to reproduce

  1. Upgraded OC to 9.1.5 via YUM on a Centos 7 VPS
  2. Installed fail2ban and now using version 0.9.6

Fail2ban was configured a while ago (while still using OC 8.1.5) and configured to ban after 5 failed attempts. I tested that it worked and it did, I even banned myself :slight_smile:

Now I noticed while doing maintenance that the OC log was filled with "Trusted domain" errors, so I decided to see why Fail2Ban did not ban the IP's. I tried logging in more than 5 times, Fail2Ban never banned me.

Server configuration

Operating system:
Centos 7

Web server:
Server version: Apache/2.4.6 (CentOS)
Server built: Apr 12 2017 21:03:28

Database:
MariaDB (running on remote VPS)

PHP version:
PHP 5.4.16 (cli) (built: Nov 6 2016 00:29:02)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies

ownCloud version: (see ownCloud admin page)
9.1.5

Updated from an older ownCloud or fresh install:
Upgraded

Where did you install ownCloud from:
Centos repo

/etc/fail2ban/filter.d/owncloud.conf

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level$
ignoreregex =

/etc/fail2ban/jail.local

ignoreip = 127.0.0.1/8
ignorecommand =
bantime  = 3600
maxretry = 5

[owncloud]
enabled = true
banaction = iptables-allports
filter  = owncloud
port    =  http,https
logpath = /var/www/html/owncloud/data/owncloud.log
action  = iptables-multiport[name=owncloud, port="http,https"]
          mail[name=owncloud, dest=email@email.com]

fail2ban-regex /var/www/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud.conf -v

Running tests
=============

Use   failregex filter file : owncloud, basedir: /etc/fail2ban
Use      single line : /var/www/owncloud/data/owncloud.log


Results
=======

Failregex: 0 total
|-  #) [# of hits] regular expression
|   1) [0] {"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*"}
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
|  [0] (?:DAY )?MON Day Year 24hour:Minute:Second(?:\.Microseconds)?
|  [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
|  [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
|  [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
|  [0] Month/Day/Year:24hour:Minute:Second
|  [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
|  [0] TAI64N
|  [0] Epoch
|  [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
|  [0] ^24hour:Minute:Second
|  [0] ^<Month/Day/Year2@24hour:Minute:Second>
|  [0] ^Year2MonthDay  ?24hour:Minute:Second
|  [0] MON Day, Year 12hour:Minute:Second AMPM
|  [0] ^MON-Day-Year2 24hour:Minute:Second
`-

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]

|- Missed line(s):
|  /var/www/owncloud/data/owncloud.log
`-

Fail2ban is running, firewalld is running, and httpd (apache) is also running.

What changed in OC for F2B to stop working?


#2

OK Fixed. I upgraded to OC 10.0.3 (stable) then used the following REGEX in /etc/fail2ban/filter.d/owncloud.conf

[Definition]
failregex={"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":"core","method":"POST","url":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)"}

Then ran the test script fail2ban-regex /var/www/html/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud.conf -v

Running tests
=============

Use   failregex filter file : owncloud, basedir: /etc/fail2ban
Use         log file : /var/www/html/owncloud/data/owncloud.log
Use         encoding : UTF-8


Results
=======

Failregex: 7 total
|-  #) [# of hits] regular expression
|   1) [7] {"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":"core","method":"POST","url":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)"}
|      192.168.0.200  Sun Oct 08 17:17:08 2017
|      192.168.0.200  Sun Oct 08 17:23:24 2017
|      192.168.0.200  Sun Oct 08 17:23:27 2017
|      192.168.0.200  Sun Oct 08 17:23:28 2017
|      192.168.0.200  Sun Oct 08 17:23:29 2017
|      192.168.0.200  Sun Oct 08 17:23:31 2017
|      192.168.0.200  Sun Oct 08 17:23:32 2017
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [196831] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
|  [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
|  [0] (?:DAY )?MON Day Year 24hour:Minute:Second(?:\.Microseconds)?
|  [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
|  [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
|  [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
|  [0] Month/Day/Year:24hour:Minute:Second
|  [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
|  [0] TAI64N
|  [0] Epoch
|  [0] ^24hour:Minute:Second
|  [0] ^<Month/Day/Year2@24hour:Minute:Second>
|  [0] ^Year2MonthDay  ?24hour:Minute:Second
|  [0] MON Day, Year 12hour:Minute:Second AMPM
|  [0] ^MON-Day-Year2 24hour:Minute:Second
`-

Lines: 196831 lines, 0 ignored, 7 matched, 196824 missed
[processed in 27.85 sec]

The 5 entries in the test above are from when I tested F2B and got banned.

All works now. I suspect the REGEX syntax did not work with 9.1.5 but was working with 8.1.5 and in between I never tested F2B to see if it still worked after an upgrade of OC, and did not realized that it had stopped working.


#3

I did the following search https://central.owncloud.org/search?q=fail2ban and found https://central.owncloud.org/t/fail2ban-and-owncloud-8-x-9-0-x/837 Seems the syntax indeed changed between the versions.


#4

OK Im back at it.. After a few days, now its no longer working. I have also a myriad of other problems. I will post back here once I can figure out what the **** is going on.