*New 11.3 series Release:
2019-10-05: XigmaNAS 11.3.0.4.6928 - released, 11.2 series are soon unsupported!

*New 12.0 series Release:
2019-10-05: XigmaNAS 12.0.0.4.6928 - released!

*New 11.2 series Release:
2019-09-23: XigmaNAS 11.2.0.4.6881 - released!

We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

[HowTo] Fail2ban install to Nas4free

Only Admin's or Moderators can move thread's to this sub-forum.
Nobody should start a new thread on this sub-forum.
Anybody can reply to a thread on this sub-forum.
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

[HowTo] Fail2ban install to Nas4free

#1

Post by alexey123 » 31 Aug 2012 10:09

If you do not plan to give access from the Internet to your server, we do not read this thread ;)
I install it on full version.

All manual read here

This work on my server .

I want to add webpage to nas4free GUI, but don't know how to make it
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

User avatar
raulfg3
Site Admin
Site Admin
Posts: 4918
Joined: 22 Jun 2012 22:13
Location: Madrid (ESPAÑA)
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#2

Post by raulfg3 » 19 Dec 2012 11:39

Any improvements?.

Do you finally do the webGui integration?.
12.0.0.4 (revision 6766)+OBI on SUPERMICRO X8SIL-F 8GB of ECC RAM, 12x3TB disk in 3 vdev in RaidZ1 = 32TB Raw size only 22TB usable

Wiki
Last changes

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#3

Post by alexey123 » 27 Jan 2013 08:14

Finded on current package failto ban filter, not working on nas4free
I attach working filter from old version
File need be extracted and placed to /usr/local/etc/fail2ban/filter.d/sshd.conf. Standart file I backup with any name
Do you finally do the webGui integration?.
Raul, I'm not programmer, but I study now how to add extensions to webgui and store data in config.xml for nas4free update compatibility.
You do not have the required permissions to view the files attached to this post.
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

UnwiseYoda
NewUser
NewUser
Posts: 4
Joined: 30 Jan 2013 06:16
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#4

Post by UnwiseYoda » 30 Jan 2013 06:37

When I attempt to add the package in SSH I'm getting this error:
File unavailable unable to fetch ftp://ftp.freebsd.org/pub/FreeBSD/ports ... ailban.tbz

I did download the tar ball and extract it into a folder on my mount, same way I installed owncloud. Though I have no idea how to make it work from there.

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#5

Post by alexey123 » 30 Jan 2013 07:30

UnwiseYoda wrote:When I attempt to add the package in SSH I'm getting this error:
File unavailable unable to fetch ftp://ftp.freebsd.org/pub/FreeBSD/ports ... ailban.tbz

I did download the tar ball and extract it into a folder on my mount, same way I installed owncloud. Though I have no idea how to make it work from there.
In first, fail2ban work on full version, because you need modify files in /etc/rc.d folder
In second, before add any package need type command

Code: Select all

setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9-current/Latest/
In third, I add archive to post. It have 2 folder inside. Before install fail2ban put this folders into /var/db/pkg/ nas4free folder. This action prevent to replace current binaries on system
You need have
/var/db/pkg/gettext-0.18.1.1/(files)
/var/db/pkg/libiconv-1.14/(files)
Enjoy.
You do not have the required permissions to view the files attached to this post.
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

UnwiseYoda
NewUser
NewUser
Posts: 4
Joined: 30 Jan 2013 06:16
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#6

Post by UnwiseYoda » 06 Feb 2013 06:35

I was able to install fail2ban and get it configured as directed. Thanks for the great guide!

Now though I have another issue. I also have owncloud mounted on nas4free. I was able to add the jail to fail2ban for it via this guide http://www.dataparadis.net/osp/gnu-linu ... -owncloud/
In the jail.conf file, fail2ban will not start at all because there is no action command. So, I added the command like the one you used for SSH (ipfw[localhost=192.168.1.104]). Fail2ban sees the failed attempts in the owncloud log and bans according to the defaults (3 fails) for 10 minutes. But even though it shows that I am banned, I still have full access to the server including to the main webgui for nas4free as well as owncloud. When I tested the SSH it worked great and kept me out of SSH as expected. So I'm not sure what I missed to get an effective ban to the webserver(owncloud). Thanks ahead of time! Let me know if you need to see the edited scripts and I will post them.

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#7

Post by alexey123 » 06 Feb 2013 07:22

I not find how applied action for ban in your link.
/etc/fail2ban/jail.local

Code: Select all

[Owncloud]
enabled  = true
port     = http,https
filter   = owncloud
logpath  = /var/log/owncloud/auth.log
maxretry = 5
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

UnwiseYoda
NewUser
NewUser
Posts: 4
Joined: 30 Jan 2013 06:16
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#8

Post by UnwiseYoda » 12 Feb 2013 20:47

Here is how I changed it to get the jail to initiate.

/usr/local/etc/fail2ban/jail.conf

Code: Select all

[Owncloud]
enabled  = true
action   = ipfw[localhost=192.168.1.104]
port     = http,https
filter   = owncloud
logpath  = /mnt/Cloud/owncloud/owncloud/auth.log
maxretry = 3

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#9

Post by alexey123 » 13 Feb 2013 06:32

What owncloud version you use?
As for your post, need add lines to lib/base.php after string 570. I find only 270 into.
Also, I modify owncloud/lib/connector/sabre/auth.php as wrote into post and create logfile in /var/log/owncloud/auth.log (chmod 666) -> nothing into

OK, I tried 4.5.0
Add lines, but it create log only for first time.
I make simulation - copy paste filed attempt to auth.log
And after 3 times my ssh connection was lost. I check over webgui Advanced|Execute command
$ ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny log logamount 5 ip from any 21 to 10.0.0.5 dst-port 21 via re0
00500 deny log logamount 5 ip from 10.0.0.5 21 to any dst-port 21 via re0
00600 deny ip from any to 10.0.0.5 dst-port 21 via re0
00700 reject ip from 10.0.0.6 21 to any
00800 reject ip from any to 10.0.0.6 dst-port 21
00900 deny log logamount 5 udp from 193.200.211.0/24 to 10.0.0.1
01000 deny udp from 186.1.206.7 to 10.0.0.1
01100 deny log logamount 5 udp from 204.45.118.82 to 10.0.0.1
01200 deny tcp from 10.0.0.4 to 10.0.0.1 dst-port 22 - THIS IS MY BAN
01300 deny tcp from 218.104.145.16 to 10.0.0.1 dst-port 22
65535 allow ip from any to any
I go to chek my config for action
# Fail2Ban configuration file
blablabla

#
actionban = ipfw add deny tcp from <ip> to <localhost> <port>


# Option: actionunban

actionunban = ipfw delete `ipfw list | grep -i <ip> | awk '{print $1;}'`

[Init]

# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ]
#
port = ssh May be I use old config???

# Option: localhost
# Notes.: the local IP address of the network interface
# Values: IP
#
localhost = 127.0.0.1 10.0.0.1
Not problem, I go to create new config. For unban ssh I type over webgui command

Code: Select all

ipfw -q flush
I create new /usr/local/etc/fail2ban/action.d/owncloud.conf

Code: Select all

# Fail2Ban configuration file
#
# Author: Nick Munger
# Modified by: Alexey Kruglov
#
# $Revision$
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = 


# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = 


# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = 


# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = ipfw add deny tcp from <ip> to <localhost> <port>


# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = ipfw delete `ipfw list | grep -i <ip> | awk '{print $1;}'`

[Init]
# Option:  port
# Notes.:  specifies port to monitor, as for me, it not understand http and https, I wrote port number
# Values:  [ NUM | STRING ]
#
port = 80

# Option:  localhost
# Notes.:  the local IP address of the network interface
# Values:  IP
#
localhost = 127.0.0.1 10.0.0.1

And check

Code: Select all

$ ipfw list
00100 deny tcp from 10.0.0.4 to 10.0.0.1 dst-port 80
65535 allow ip from any to any
Also webinterface banned!!!. Need to study, how to run log into owncloud.
As result, I add to /usr/local/etc/fail2ban/jail.conf

Code: Select all

[Owncloud]
enabled  = true
action   = owncloud[localhost=10.0.0.1]
filter   = owncloud
logpath  = /var/log/owncloud/auth.log
maxretry = 3
Create filter and add Action
Last edited by alexey123 on 13 Feb 2013 19:19, edited 1 time in total.
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#10

Post by alexey123 » 13 Feb 2013 10:35

I checked "hackers" posts and begin to cry.
What they protect??? They can't read php? They add lines to

Code: Select all

 protected static function tryFormLogin() {
		if(!isset($_POST["user"]) || !isset($_POST['password'])) {
If username not typed and password not typed, they write to log. But owncloud have javascript, which checked this values? and php not receive its!!!!! Only first connect!!
Childs.
My idea
edit /lib/user/database.php Find into public function checkPassword( $uid, $password )
check line
if($row) { blablabla }
else{
$today = new DateTime();
date_timezone_set($today, timezone_open('Region/Town')); <---- insert correct value, some as nas4free setting!!!
$IPClient= $_SERVER['REMOTE_ADDR'];
$logAuth = fopen('/var/log/owncloud/auth.log', 'a+');
fputs($logAuth, date_format($today, 'Y/m/d H:i:s') . " \tWebform Login" . " Username/Password failed for: \t" . $IPClient . "\n");
fclose($logAuth);
return false;
}
As result
Image

I attached to post file with my repaired function, called as check_password.inc
File /var/log/owncloud/auth.log need have permissions 666
You do not have the required permissions to view the files attached to this post.
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#11

Post by alexey123 » 06 Sep 2013 21:55

I use fail2ban under jail for protect my server.
In first - I create one jail , which will work with internet users with name www.
I add user from group wheel over dialog and give for user shell sh

Code: Select all

jexec www adduser
Now I start SSH server into jail. I need define for NAS4Free main SSH server listen adress, it listen all adreses by default. I add value ListenAddress 10.0.0.1 to extra option screen
Image
Then I go into jail's folder /etc/ssh folder and rename sshd_config to sshd_config_orig. Then simple copy

Code: Select all

cp /var/etc/ssh/sshd_config /mnt/disk/app/thebrig/www/etc/ssh/
I not agree give root access directly for jail because I don't want create password for jail root. Also I define listen adress as adres jail IP
SyslogFacility AUTH
LogLevel INFO
Protocol 2
UseDNS no
Subsystem sftp /usr/libexec/sftp-server
ChallengeResponseAuthentication no
Port 22
PermitRootLogin no
AllowTcpForwarding no
PasswordAuthentication yes
PubkeyAuthentication yes
ListenAddress 10.0.0.21
Then I add to jail's /etc/rc.conf value sshd_enable="YES"

Code: Select all

echo 'sshd_enable="YES"' >> /mnt/disk/app/thebrig/www/etc/rc.conf
Then start SSH server

Code: Select all

jexec www /etc/rc.d/sshd start
and check connection. Must work. In my case all work and I connect to jail over SSH. All commands below I execute into jail!
First comman is su

Code: Select all

$ su
root@www:/usr/home/alexey
Now I install fail2ban for jail

Code: Select all

pkg_add -r  py27-fail2ban
When it installed I create folder for fail2ban pid and sock files

Code: Select all

mkdir /var/run/fail2ban
and repair /etc/rc.conf line for syslog

Code: Select all

syslogd_flags="-ss -cc"

This line prevent syslog group messages and write to log "Last message repeated 150 times"
Jail cannot send commands to main firewall. For give result I instal small utility wait_on

Code: Select all

pkg_add -r wait_on
and create under my application folder /mnt/data/app small script named fail2banner and give permissions 755 for it

Code: Select all

#!/bin/csh  
start:
set FILE1=/mnt/disk/app/thebrig/www/tmp/fail2ban
/mnt/disk/app/thebrig/www/usr/local/bin/wait_on -w $FILE1
sh /mnt/disk/app/thebrig/www/tmp/fail2ban
sleep 2
goto start
Replace pathes for command for run it into your server
This script will check file named fail2ban under jail's /tmp folder and when file changed will run it
.
I have small daemon. For start stop it I use second script named f2banner and make it executable also

Code: Select all

#!/bin/sh
# f2banner
#
. /etc/rc.subr

name=fail2banner
pidfile="/var/run/${name}.pid"
command="/mnt/disk/app/$name"

killproc() {
   pid=`/bin/ps ax | grep -w ${name} | grep -v grep | awk '{print$1}'`
   echo "Stopping $1 now."
   [ "$pid" != "" ] && kill -15 $pid
   rm ${pidfile}
   echo $pid
}
# Start/stop processes 
case "$1" in
  'start')
	pid=`/bin/ps ax | grep -w ${name} | grep -v grep | awk '{print$1}'`
	if [ -n "${pid}" ]; then
		echo "${name} already running? (pid=${pid})."
		return 1
	fi
	echo -n "Starting ${name} "
	${command} start &
	echo `ps -ax | grep fail2banner | grep -v grep | awk '{print $1}'`
	echo `ps -ax | grep fail2banner | grep -v grep | awk '{print $1}'` > ${pidfile}
		  ;;
  'stop')
	 killproc fail2banner
	  ;;
  'status')
	pid=`/bin/ps ax | grep -w ${name} | grep -v grep | awk '{print$1}'`
		echo $pid
		;;
   'restart')
   killproc fail2banner
	${command} start &
	echo `/bin/ps ax | grep -w ${name} | grep -v grep | awk '{print$1}'` > ${pidfile}
        ;;
  *)
	  echo "Usage: $0 [ start | stop | restart | status]"
	  ;;
esac
Attension Need replace path into string command="/mnt/disk/app/$name" for your nas
For run script when my server started and stop it in case shutdown I add command to System|Advanced|Command scripts page
Image
Last edited by alexey123 on 07 Sep 2013 00:23, edited 7 times in total.
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#12

Post by alexey123 » 06 Sep 2013 22:07

Then I edit config files, placed under /usr/local/etc/fail2ban folder.
Into file /usr/local/etc/fail2ban/jail.conf I find tag ssh-ipfw and repair it. I label by red eddited values, where 10.0.0.1 is NAS4Free main server, 10.0.0.21 is jail www
[ssh-ipfw]
enabled = true
filter = sshd
action = ipfw[localhost=10.0.0.21]
logpath = /var/log/auth.log
ignoreip = 10.0.0.1
I edit /usr/local/etc/fail2ban/action.d/ipfw.conf also
I find lines for ban and unban and repair it

Code: Select all

actionban = echo "ipfw add deny tcp from <ip> to <localhost> <port>" > /tmp/fail2ban

Code: Select all

actionunban = echo "ipfw delete \`ipfw list | grep -i <ip> | awk '{print \$1;}'\`" > /tmp/fail2ban
In this case fail2ban will write to file command for main NAS4Free server, which will use my scripts
Add line to /etc/rc.conf

Code: Select all

echo 'fail2ban_enable="YES"' >> /etc/rc.conf
and start fail2ban

Code: Select all

usr/local/etc/rc.d/fail2ban start
Must be work.
But I want also protect my webserver from hackers. As example I will use popular CMS owncloud, ver 5.0.10. I use fsbruva's script, just replace 5.0.6 to 5.0.10 version owncloud
Last edited by alexey123 on 06 Sep 2013 22:34, edited 3 times in total.
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#13

Post by alexey123 » 06 Sep 2013 22:08

Protect owncloud against bruteforce attacks
By defalt owncloud not have any access log, but 2 post before I wrote how to create log. I attach full file, extract it and replace original into folder /usr/local/www/owncloud/lib/user/
I replace only public function checkPassword( $uid, $password )
Edit config files. File /usr/local/etc/fail2ban/jail.conf add next enry

Code: Select all

[owncloud]
enabled  = true
action   = owncloud[localhost=10.0.0.21]
filter   = owncloud
logpath  = /var/log/owncloud/auth.log
maxretry = 3
Create new file /usr/local/etc/fail2ban/filter.d/owncloud.conf with content (thank you for owncloud user )

Code: Select all

# /usr/local/etc/fail2ban/filter.d/owncloud.conf
#
# Fail2Ban configuration file
# By Anthony25 and Malekith25
# Owncloud
# Edited by Alexey

[Definition]
# Option: failregex
# Filter Ban in /var/log/owncloud/auth.log
failregex = <HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
.
create new file /usr/local/etc/fail2ban/action.d/owncloud.conf . Some as for SSH server, file2ban will send command over file /tmp/file2ban

Code: Select all

# Fail2Ban configuration file
#
# Author: Nick Munger
# Modified by: Alexey Kruglov
#
# $Revision$
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = 


# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = 


# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = 


# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = echo "ipfw add deny tcp from <ip> to <localhost> <port>" > /tmp/fail2ban


# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = echo "ipfw delete \`ipfw list | grep -i <ip> | awk '{print \$1;}'\`" > /tmp/fail2ban

[Init]
# Option:  port
# Notes.:  specifies port to monitor, as for me, it not understand http and https, I wrote port number
# Values:  [ NUM | STRING ]
#
port = 443

# Option:  localhost
# Notes.:  the local IP address of the network interface
# Values:  IP
#
localhost = 127.0.0.1 10.0.0.21
ATTENSION I use for owncloud standart 443 port, you need replace port number and localhost IP
Restart fail2ban

Code: Select all

/usr/local/etc/rc.d/fail2ban restart
and check how it work with wrong password
You do not have the required permissions to view the files attached to this post.
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#14

Post by alexey123 » 06 Sep 2013 23:24

Sometimes webservers logs contains such error entries
Image
What its doing?
First part index.php?blbla_bla&second_bla make for php engine error, then second part
../../../../../
make cd to root folder / and third part
/proc/self/environ%0000
create second root
I always ban IP over /etc/host file, not firewall when I detect such attack. But it is very difficult to trace such attacks :evil: Therefore, let those involved fail2ban, I'll just have to watch his log, it is significantly less than the webserver log. Lighttpd have access.log, placed into /var/log/lighttpd folder. I'll learn fail2ban how to wach it
1. File /usr/local/etc/fail2ban/jail.conf add next enry

Code: Select all

[lighttpd-access]
enabled = true
action   = lighttpd-access[localhost=10.0.0.21]
filter  = lighttpd-access
# adapt the following two items as needed
logpath = /var/log/lighttpd/access.log
maxretry = 2
2. Create new file /usr/local/etc/fail2ban/filter.d/lighttpd-access.conf with content

Code: Select all

# Fail2Ban configuration file
# lighttpd access.log protect against hack  2-nd root creation
# Author: Alexey Kruglov
# Version 

[Definition]
# Option:  failregex
# Notes.:  regex to match this kind of request:
#
# 1.2.3.4 10.0.0.21 - [06/Sep/2013:20:03:17 +0300] "GET /index.php?option=com_jfeedback&controller=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 200 2721 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) 
# Gecko/20100101 Firefox/11.0"

failregex = ^<HOST> .+"(GET).*(htt\w*\:\/\/.*\=\.+\/\.+\/.+\/(proc)\/(self)\/.+$)

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
3. create new file /usr/local/etc/fail2ban/action.d/lighttpd-access.conf.conf . Some as for SSH server, and owncloud file2ban will send command over file /tmp/file2ban

Code: Select all

# Fail2Ban configuration file
#
# Author: Nick Munger
# Modified by: Alexey Kruglov
#
# $Revision$
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = 


# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = 


# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = 


# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = echo "ipfw add deny tcp from <ip> to <localhost> <port>" > /tmp/fail2ban


# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = echo "ipfw delete \`ipfw list | grep -i <ip> | awk '{print \$1;}'\`" > /tmp/fail2ban

[Init]

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]
#
port = http https ssh

# Option:  localhost
# Notes.:  the local IP address of the network interface
# Values:  IP
#
localhost = 10.0.0.21
ATTENSION I ban all ports http, https, ssh. Please use as you want. Also replace localhost IP
Restart fail2ban

Code: Select all

/usr/local/etc/rc.d/fail2ban restart
and check how it work.
As for me - work. My fail2ban log

Code: Select all

2013-09-06 13:55:54,943 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2013-09-06 13:55:54,949 fail2ban.jail   : INFO   Creating new jail 'ssh-ipfw'
2013-09-06 13:55:54,951 fail2ban.jail   : INFO   Jail 'ssh-ipfw' uses poller
2013-09-06 13:55:55,024 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2013-09-06 13:55:55,026 fail2ban.filter : INFO   Set maxRetry = 3
2013-09-06 13:55:55,029 fail2ban.filter : INFO   Set findtime = 100
2013-09-06 13:55:55,031 fail2ban.actions: INFO   Set banTime = 200
2013-09-06 13:55:55,160 fail2ban.jail   : INFO   Jail 'ssh-ipfw' started
2013-09-06 14:51:07,831 fail2ban.actions: WARNING [ssh-ipfw] Ban 10.0.0.2
2013-09-06 14:54:28,715 fail2ban.actions: WARNING [ssh-ipfw] Unban 10.0.0.2
2013-09-06 14:57:28,915 fail2ban.actions: WARNING [ssh-ipfw] Ban 10.0.0.2
2013-09-06 14:59:13,796 fail2ban.actions: WARNING [ssh-ipfw] 10.0.0.2 already banned
2013-09-06 15:00:48,959 fail2ban.actions: WARNING [ssh-ipfw] Unban 10.0.0.2
2013-09-06 15:02:15,065 fail2ban.actions: WARNING [ssh-ipfw] Ban 10.0.0.2
2013-09-06 15:05:35,905 fail2ban.actions: WARNING [ssh-ipfw] Unban 10.0.0.2
2013-09-06 15:14:05,434 fail2ban.actions: WARNING [ssh-ipfw] Ban 10.0.0.2
2013-09-06 15:17:26,388 fail2ban.actions: WARNING [ssh-ipfw] Unban 10.0.0.2
2013-09-06 18:49:56,154 fail2ban.actions: WARNING [ssh-ipfw] Ban 10.0.0.2
2013-09-06 18:53:17,141 fail2ban.actions: WARNING [ssh-ipfw] Unban 10.0.0.2
2013-09-06 19:04:20,798 fail2ban.server : INFO   Stopping all jails
2013-09-06 19:04:20,988 fail2ban.jail   : INFO   Jail 'ssh-ipfw' stopped
2013-09-06 19:04:20,990 fail2ban.server : INFO   Exiting Fail2ban
2013-09-06 19:12:42,389 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2013-09-06 19:12:42,391 fail2ban.jail   : INFO   Creating new jail 'ssh-ipfw'
2013-09-06 19:12:42,392 fail2ban.jail   : INFO   Jail 'ssh-ipfw' uses poller
2013-09-06 19:12:42,427 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2013-09-06 19:12:42,429 fail2ban.filter : INFO   Set maxRetry = 3
2013-09-06 19:12:42,432 fail2ban.filter : INFO   Set findtime = 100
2013-09-06 19:12:42,434 fail2ban.actions: INFO   Set banTime = 200
2013-09-06 19:12:42,539 fail2ban.jail   : INFO   Creating new jail 'Owncloud'
2013-09-06 19:12:42,541 fail2ban.jail   : INFO   Jail 'Owncloud' uses poller
2013-09-06 19:12:42,544 fail2ban.filter : INFO   Added logfile = /var/log/owncloud/auth.log
2013-09-06 19:12:42,546 fail2ban.filter : INFO   Set maxRetry = 3
2013-09-06 19:12:42,548 fail2ban.filter : INFO   Set findtime = 100
2013-09-06 19:12:42,550 fail2ban.actions: INFO   Set banTime = 200
2013-09-06 19:12:42,568 fail2ban.jail   : INFO   Jail 'ssh-ipfw' started
2013-09-06 19:12:42,605 fail2ban.jail   : INFO   Jail 'Owncloud' started
2013-09-06 19:13:25,887 fail2ban.actions: WARNING [Owncloud] Ban 10.0.0.2
2013-09-06 19:16:46,108 fail2ban.actions: WARNING [Owncloud] Unban 10.0.0.2
2013-09-06 21:16:24,067 fail2ban.server : INFO   Stopping all jails
2013-09-06 21:16:24,522 fail2ban.jail   : INFO   Jail 'ssh-ipfw' stopped
2013-09-06 21:16:25,432 fail2ban.jail   : INFO   Jail 'Owncloud' stopped
2013-09-06 21:16:25,434 fail2ban.server : INFO   Exiting Fail2ban
2013-09-06 21:17:54,164 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2013-09-06 21:17:54,166 fail2ban.jail   : INFO   Creating new jail 'ssh-ipfw'
2013-09-06 21:17:54,167 fail2ban.jail   : INFO   Jail 'ssh-ipfw' uses poller
2013-09-06 21:17:54,201 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2013-09-06 21:17:54,203 fail2ban.filter : INFO   Set maxRetry = 3
2013-09-06 21:17:54,206 fail2ban.filter : INFO   Set findtime = 100
2013-09-06 21:17:54,208 fail2ban.actions: INFO   Set banTime = 200
2013-09-06 21:17:54,314 fail2ban.jail   : INFO   Creating new jail 'owncloud'
2013-09-06 21:17:54,315 fail2ban.jail   : INFO   Jail 'owncloud' uses poller
2013-09-06 21:17:54,318 fail2ban.filter : INFO   Added logfile = /var/log/owncloud/auth.log
2013-09-06 21:17:54,320 fail2ban.filter : INFO   Set maxRetry = 3
2013-09-06 21:17:54,323 fail2ban.filter : INFO   Set findtime = 100
2013-09-06 21:17:54,324 fail2ban.actions: INFO   Set banTime = 200
2013-09-06 21:17:54,339 fail2ban.jail   : INFO   Creating new jail 'lighttpd-access'
2013-09-06 21:17:54,340 fail2ban.jail   : INFO   Jail 'lighttpd-access' uses poller
2013-09-06 21:17:54,343 fail2ban.filter : INFO   Added logfile = /var/log/lighttpd/access.log
2013-09-06 21:17:54,345 fail2ban.filter : INFO   Set maxRetry = 2
2013-09-06 21:17:54,347 fail2ban.filter : INFO   Set findtime = 100
2013-09-06 21:17:54,349 fail2ban.actions: INFO   Set banTime = 200
2013-09-06 21:17:54,368 fail2ban.jail   : INFO   Jail 'ssh-ipfw' started
2013-09-06 21:17:54,388 fail2ban.jail   : INFO   Jail 'owncloud' started
2013-09-06 21:17:54,398 fail2ban.jail   : INFO   Jail 'lighttpd-access' started
2013-09-06 21:18:10,510 fail2ban.actions: WARNING [lighttpd-access] Ban 10.0.0.2
2013-09-06 21:21:30,731 fail2ban.actions: WARNING [lighttpd-access] Unban 10.0.0.2
2013-09-07 00:00:14,384 fail2ban.actions: WARNING [lighttpd-access] Ban 10.0.0.2
2013-09-07 00:03:34,602 fail2ban.actions: WARNING [lighttpd-access] Unban 10.0.0.2
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

dundermiflin
Starter
Starter
Posts: 30
Joined: 12 Oct 2013 14:11
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#15

Post by dundermiflin » 13 Oct 2013 19:02

when will this occur ??:

This script will check file named fail2ban under jail's /tmp folder and when file changed will run it

when i execute this script this is what I get :
nas4free: app # ./fail2banner
wait_on: can't open "/mnt/JANGINA/JAILS/Fail2Ban/tmp/fail2ban" for reading: No such file or directory
cannot open /mnt/JANGINA/JAILS/Fail2Ban/tmp/fail2ban: No such file or directory
wait_on: can't open "/mnt/JANGINA/JAILS/Fail2Ban/tmp/fail2ban" for reading: No such file or directory
cannot open /mnt/JANGINA/JAILS/Fail2Ban/tmp/fail2ban: No such file or directory
Is obvious I have not that file, but that file, I think , is created auto by one of your scripts

more details :

It seems only LOG the su comand

when I try to ssh from other PC or even in terminal from Nas4Free primary IP I did'nt see any changes in auth.log :
Oct 8 16:17:30 Fail2Ban newsyslog[29813]: logfile first created
Oct 8 16:40:20 Fail2Ban su: pepito to root on /dev/pts/1
Oct 9 10:18:21 Fail2Ban su: pepito to root on /dev/pts/1
Oct 12 14:28:53 Fail2Ban su: pepito to root on /dev/pts/0
Oct 13 18:50:05 Fail2Ban su: pepito to root on /dev/pts/1
Oct 13 19:24:10 Fail2Ban su: pepito to root on /dev/pts/0

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#16

Post by alexey123 » 14 Oct 2013 06:48

dundermiflin, check if present file /mnt/JANGINA/JAILS/Fail2Ban/tmp/fail2ban manually
message
wait_on: can't open "/mnt/JANGINA/JAILS/Fail2Ban/tmp/fail2ban" for reading: No such file or directory
says - not present.
This file first create, when fail2ban find wrong access, see fail2ban rule action :

Code: Select all

actionban = echo "ipfw add deny tcp from <ip> to <localhost> <port>" > /tmp/fail2ban
When ban condition present, fail2ban create file and wrote into command for main server
so you need connect to jail with wrong password and check file.
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

dundermiflin
Starter
Starter
Posts: 30
Joined: 12 Oct 2013 14:11
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#17

Post by dundermiflin » 14 Oct 2013 10:13

alexey123 wrote:dundermiflin, check if present file /mnt/JANGINA/JAILS/Fail2Ban/tmp/fail2ban manually
message
wait_on: can't open "/mnt/JANGINA/JAILS/Fail2Ban/tmp/fail2ban" for reading: No such file or directory
says - not present.
This file first create, when fail2ban find wrong access, see fail2ban rule action :

Code: Select all

actionban = echo "ipfw add deny tcp from <ip> to <localhost> <port>" > /tmp/fail2ban
When ban condition present, fail2ban create file and wrote into command for main server
so you need connect to jail with wrong password and check file.

I did but it seems like SSH wrong logins is not logged anywhere........
the only change I see in auth.log is when I'm already logged in jail (ssh 192.168.1.224 -l pepito) and type the "su" command....then it writes a line in auth.log, but I can't see anywhere my worng password attemps

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#18

Post by alexey123 » 14 Oct 2013 11:46

In my case all work, I tried connect with fault auth and obtain ban
Oct 14 11:14:37 omega sshd[12889]: Invalid user vvv from 10.0.0.4
Oct 14 11:14:39 omega sshd[12889]: error: PAM: authentication error for illegal user vvv from 10.0.0.4
Oct 14 11:14:39 omega sshd[12889]: Failed keyboard-interactive/pam for invalid user vvv from 10.0.0.4 port 1492 ssh2
Oct 14 11:14:41 omega sshd[12889]: error: PAM: authentication error for illegal user vvv from 10.0.0.4
Oct 14 11:14:41 omega sshd[12889]: Failed keyboard-interactive/pam for invalid user vvv from 10.0.0.4 port 1492 ssh2
Oct 14 11:14:43 omega sshd[12889]: error: PAM: authentication error for illegal user vvv from 10.0.0.4
Oct 14 11:14:43 omega sshd[12889]: Failed keyboard-interactive/pam for invalid user vvv from 10.0.0.4 port 1492 ssh2
Oct 14 11:14:45 omega sshd[12889]: error: PAM: authentication error for illegal user vvv from 10.0.0.4
Oct 14 11:14:45 omega sshd[12889]: Failed keyboard-interactive/pam for invalid user vvv from 10.0.0.4 port 1492 ssh2
Oct 14 11:14:48 omega sshd[12889]: error: PAM: authentication error for illegal user vvv from 10.0.0.4
Oct 14 11:14:48 omega sshd[12889]: Failed keyboard-interactive/pam for invalid user vvv from 10.0.0.4 port 1492 ssh2
Oct 14 11:14:49 omega sshd[12889]: error: PAM: authentication error for illegal user vvv from 10.0.0.4
Oct 14 11:14:49 omega sshd[12889]: Failed keyboard-interactive/pam for invalid user vvv from 10.0.0.4 port 1492 ssh2
Oct 14 11:28:19 omega sshd[13585]: Accepted keyboard-interactive/pam for alexey from 10.0.0.4 port 1562 ssh2
Oct 14 11:28:22 omega su: alexey to root on /dev/pts/3
After unban - I successfully connected
Check your install
Jail:
1. /etc/ssh/sshd_config - must be properly configured
2. check entries to /etc/rc.conf , must have

Code: Select all

fail2ban_enable="YES"
syslogd_flags="-ss -cc"
3. Check fail2ban configs
4. Check, if fail2ban is running

Code: Select all

/usr/local/etc/rc.d/fail2ban status
5. check wait_on

Code: Select all

 which wait_on
Answer : /usr/local/bin/wait_on
Main server
1.check main ssh server, about listen adress
2. Check daemon. In my case

Code: Select all

/mnt/disk/app/f2banner status
Answer is daemon pid : - 12048
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

dundermiflin
Starter
Starter
Posts: 30
Joined: 12 Oct 2013 14:11
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#19

Post by dundermiflin » 14 Oct 2013 15:07

alexey123 wrote:In my case all work, I tried connect with fault auth and obtain ban
Oct 14 11:14:37 omega sshd[12889]: Invalid user vvv from 10.0.0.4
Oct 14 11:14:39 omega sshd[12889]: error: PAM: authentication error for illegal user vvv from 10.0.0.4
Oct 14 11:14:39 omega sshd[12889]: Failed keyboard-interactive/pam for invalid user vvv from 10.0.0.4 port 1492 ssh2
Oct 14 11:14:41 omega sshd[12889]: error: PAM: authentication error for illegal user vvv from 10.0.0.4
Oct 14 11:14:41 omega sshd[12889]: Failed keyboard-interactive/pam for invalid user vvv from 10.0.0.4 port 1492 ssh2
Oct 14 11:14:43 omega sshd[12889]: error: PAM: authentication error for illegal user vvv from 10.0.0.4
Oct 14 11:14:43 omega sshd[12889]: Failed keyboard-interactive/pam for invalid user vvv from 10.0.0.4 port 1492 ssh2
Oct 14 11:14:45 omega sshd[12889]: error: PAM: authentication error for illegal user vvv from 10.0.0.4
Oct 14 11:14:45 omega sshd[12889]: Failed keyboard-interactive/pam for invalid user vvv from 10.0.0.4 port 1492 ssh2
Oct 14 11:14:48 omega sshd[12889]: error: PAM: authentication error for illegal user vvv from 10.0.0.4
Oct 14 11:14:48 omega sshd[12889]: Failed keyboard-interactive/pam for invalid user vvv from 10.0.0.4 port 1492 ssh2
Oct 14 11:14:49 omega sshd[12889]: error: PAM: authentication error for illegal user vvv from 10.0.0.4
Oct 14 11:14:49 omega sshd[12889]: Failed keyboard-interactive/pam for invalid user vvv from 10.0.0.4 port 1492 ssh2
Oct 14 11:28:19 omega sshd[13585]: Accepted keyboard-interactive/pam for alexey from 10.0.0.4 port 1562 ssh2
Oct 14 11:28:22 omega su: alexey to root on /dev/pts/3
After unban - I successfully connected
As I said my auth.log (/var/log/auth.log) only show when I do "su" from terminal....I can't see any other activiy, failed logins or correct logins.......
Check your install
Jail:
1. /etc/ssh/sshd_config - must be properly configured
2. check entries to /etc/rc.conf , must have

Code: Select all

fail2ban_enable="YES"
syslogd_flags="-ss -cc"
all checked
sshd listen addres 192.168.1.224
3. Check fail2ban configs
4. Check, if fail2ban is running

Code: Select all

/usr/local/etc/rc.d/fail2ban status
5. check wait_on

Code: Select all

 which wait_on
Answer : /usr/local/bin/wait_on
all checked, for wait_on I used "whereis" instead of "wich" and I got the full path to binary and man pages
Main server
1.check main ssh server, about listen adress
2. Check daemon. In my case

Code: Select all

/mnt/disk/app/f2banner status
Answer is daemon pid : - 12048
f2banner is running pid 10456 and shh is configured (listen 192.168.1.222 main server IP)

Resume:

Code: Select all

Main Server 192.168.1.222 ssh port above 50000
jail fail2ban 192.168.1.224 ssh port 22
router doing NAT to DMZ 192.168.1.222
So, when I ssh from internet I am really loguin into main server

All I want is to protect the main server from multipleas attacs I'm having, and leave the SSH of the main server in his original port 22 (now is above 50000 to prevent attackers), banning offending IP when attacked

Please help !!

dundermiflin
Starter
Starter
Posts: 30
Joined: 12 Oct 2013 14:11
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#20

Post by dundermiflin » 16 Oct 2013 10:02

Please, alexey ....can you read my last post ant tell if I'm doing something wrong ??

PD.: I know is a mess to see among a huge amount of data, logs and IP but I really need some help for avoid attacking my servera and I'm unable to see where I'm missing something

dundermiflin
Starter
Starter
Posts: 30
Joined: 12 Oct 2013 14:11
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#21

Post by dundermiflin » 07 Feb 2014 20:36

I give up..........tried several times, check your instructions one by one, check my paths over and over, my jails names, files names.....everything over and over..........and still can't make it work

laster13
PowerUser
PowerUser
Posts: 996
Joined: 01 Jun 2013 19:15
Location: France-Marseille
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#22

Post by laster13 » 11 Nov 2014 21:21

hi
I was write how to ( It was work on my working server, but when I wrote howto, I make small error, try to find where is error)
I have found error :)

postinit and shutdown f2ban instead f2banner ;)

Thank very for your "howto" it's work perfectly with owncloud but not with SSH.

The file /var/log/auth.log doesn't registered log's error...why?

Code: Select all

Nov 11 17:01:22 owncloud su: patrick to root on /dev/pts/0
Nov 11 17:48:20 owncloud su: patrick to root on /dev/pts/0
owncloud is the name of my jail

Sorry for my bad english

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#23

Post by alexey123 » 11 Nov 2014 21:36

laster13 wrote: The file /var/log/auth.log doesn't registered log's error...why?
OK, but I find error also
I mistaked Into /etc/ssh/sshd_config

section LOG
# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH <---- must be uncommented instead nas4free scheme SyslogFacility LOCAL3
LogLevel INFO <---- must be uncommented also
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

laster13
PowerUser
PowerUser
Posts: 996
Joined: 01 Jun 2013 19:15
Location: France-Marseille
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#24

Post by laster13 » 12 Nov 2014 08:11

yesss!! it's work perfectly

just a question.. is it possible to install fail2bann outside the jail?

thank you

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#25

Post by alexey123 » 12 Nov 2014 09:54

laster13 wrote: just a question.. is it possible to install fail2bann outside the jail?
thank you
It possible with full version, I put link into first post with my install, but why do you need it?
If you use jail for owncloud, you need fiail2ban, running on same jail
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

laster13
PowerUser
PowerUser
Posts: 996
Joined: 01 Jun 2013 19:15
Location: France-Marseille
Status: Offline

Re: Re : [HowTo] Fail2ban install to Nas4free

#26

Post by laster13 » 12 Nov 2014 10:51

Yes but i write howto for french community and some people install MySQL and phpmyadmin outside a jail..in full version..

So in full version it is possible.... Perfect :)

User avatar
raulfg3
Site Admin
Site Admin
Posts: 4918
Joined: 22 Jun 2012 22:13
Location: Madrid (ESPAÑA)
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#27

Post by raulfg3 » 28 Jun 2017 12:42

Hello Alexey, I meet Fail2Ban really usefull, but for use on N4F a minimun webGUI must be considered.

Do you consider to write a small pluging to install & configure fail2ban from webGUI?
12.0.0.4 (revision 6766)+OBI on SUPERMICRO X8SIL-F 8GB of ECC RAM, 12x3TB disk in 3 vdev in RaidZ1 = 32TB Raw size only 22TB usable

Wiki
Last changes

User avatar
alexey123
Moderator
Moderator
Posts: 1563
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#28

Post by alexey123 » 28 Jun 2017 14:49

I'll inspect today fail2ban framework .
Home11.0.0.4 - Sayyadina (revision 4249)/ x64-embedded on SAPPHIRE Pure Mini E350 / 8G RAM / UPS Ippon Back Power Pro 600
Lab 10.2.0.2 - Prescience (revision 2545) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600
New XigmanasXigmaNAS version 11.2.0.4.6026 on x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM
TEST1 11.0.0.4 - Pilingitam (revision 4333) bpi-embedded on Allwinner a20 / 1015MiB RAM

User avatar
raulfg3
Site Admin
Site Admin
Posts: 4918
Joined: 22 Jun 2012 22:13
Location: Madrid (ESPAÑA)
Contact:
Status: Offline

Re: [HowTo] Fail2ban install to Nas4free

#29

Post by raulfg3 » 28 Jun 2017 16:06

thanks a lot
12.0.0.4 (revision 6766)+OBI on SUPERMICRO X8SIL-F 8GB of ECC RAM, 12x3TB disk in 3 vdev in RaidZ1 = 32TB Raw size only 22TB usable

Wiki
Last changes

Post Reply

Return to “[HowTo]”