XigmaNAS

Posted: **26 Oct 2014 17:59**

Hello,

I have installed ownCloud 7.0.2 in a own jail as described in viewtopic.php?f=79&t=1565.
To protect the ownCloud-Server against brute-force password hacks, I've installed additionally Fail2ban in the jail.
For the installation and configuration I used following guides:

http://www.rojtberg.net/711/secure-owncloud-server/ and
https://forums.freenas.org/index.php?th ... ail.19216/

To configure Fail2ban for ownCloud I used mainly the instructions of the second link above.

At first I edited in owncloud/config/config.php and added following lines:

Code: Select all

'forcessl' => true,
'loglevel' => '2',
'logtimezone' => '<timezone>',
'log_authfailip' => true,

The correct time zone can be found at http://php.net/manual/en/timezones.php

Afterwards I added in the jail following lines (last 3 lines) to /etc/rc.conf:

Code: Select all

sendmail_enable="NONE"
syslogd_flags="-ss"
rpc_bind="NO"
network_interfaces=""
cron_flags="$cron_flags -J 15"

mysql_enable="YES"
lighttpd_enable="YES"

firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
fail2ban_enable="YES"

and created under /usr/local/etc the file ipfw.rules with the lines

Code: Select all

#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"

# Loopback Interface
$cmd 10 allow all from any to any via lo0
$cmd 20 deny all from any to 127.0.0.0/8
$cmd 30 deny all from 127.0.0.0/8 to any
$cmd 40 deny tcp from any to any frag

# Stateful connections
$cmd 50 check-state
$cmd 60 allow tcp from any to any established
$cmd 70 allow all from any to any out keep-state
$cmd 80 allow icmp from any to any

# Firewall rule used by Fail2Ban to block traffic
$cmd 90 deny all from 'table(1)' to any

# Allow access to public DNS (53),
# http (80), https (443) and port 81:
$cmd 150 allow tcp from any to any 443 in
$cmd 160 allow tcp from any to any 443 out
$cmd 170 allow udp from any to any 53 in
$cmd 175 allow tcp from any to any 53 in
$cmd 180 allow udp from any to any 53 out
$cmd 185 allow tcp from any to any 53 out
$cmd 200 allow tcp from any to any 80 in
$cmd 210 allow tcp from any to any 80 out
$cmd 220 allow tcp from any to any 81 in
$cmd 230 allow tcp from any to any 81 out

# Deny and log all other connections
$cmd 500 deny log all from any to any

Then I've created under /usr/local/etc/fail2ban the file jail.local with

Code: Select all

[owncloud]
enabled  = true
filter   = owncloud
action   = ipfw-owncloud
port     = http,https,81
protocol = tcp
logpath  = /mnt/vdevs_pool/owncloud/data/owncloud.log
maxretry = 3

and the filter definition file owncloud.conf in /usr/local/etc/fail2ban/filter.d with following lines (works only for ownCloud v7.0.2),

Code: Select all

[Definition]
failregex   = {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}
ignoreregex =

In action.d I've copied then ipfw.conf to ipfw-owncloud.conf and changed there the lines for "actionban" and "actionunban" to

Code: Select all

actionban = ipfw table 1 add <ip>
actionunban = ipfw table 1 delete <ip>

Finally I've restarted all relevant services

Code: Select all

service lighttpd restart
service fail2ban restart
service ipfw restart

and tested the configuration by entering more than 3 times a wrong password on the ownCloud webpage.
File2ban works but I got in /var/log/fail2ban.log following error messages (red colored):

2014-10-10 10:12:44,614 fail2ban.server.server[35189]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.0
2014-10-10 10:12:44,622 fail2ban.server.database[35189]: INFO Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban.sqlite3'
2014-10-10 10:12:44,649 fail2ban.server.jail[35189]: INFO Creating new jail 'owncloud'
2014-10-10 10:12:44,654 fail2ban.server.jail[35189]: INFO Jail 'owncloud' uses poller
2014-10-10 10:12:44,771 fail2ban.server.filter[35189]: INFO Set jail log file encoding to US-ASCII
2014-10-10 10:12:44,772 fail2ban.server.jail[35189]: INFO Initiated 'polling' backend
2014-10-10 10:12:44,929 fail2ban.server.filter[35189]: INFO Added logfile = /mnt/vdevs_pool/owncloud/data/owncloud.log
2014-10-10 10:12:44,932 fail2ban.server.filter[35189]: INFO Set maxRetry = 3
2014-10-10 10:12:44,937 fail2ban.server.filter[35189]: INFO Set jail log file encoding to US-ASCII
2014-10-10 10:12:44,940 fail2ban.server.actions[35189]: INFO Set banTime = 600
2014-10-10 10:12:44,945 fail2ban.server.filter[35189]: INFO Set findtime = 600
2014-10-10 10:12:49,328 fail2ban.server.jail[35189]: INFO Jail 'owncloud' started
2014-10-10 10:13:59,210 fail2ban.server.filter[35189]: INFO [owncloud] Found 212.xxx.xxx.xxx
2014-10-10 10:14:07,320 fail2ban.server.filter[35189]: INFO [owncloud] Found 212.xxx.xxx.xxx
2014-10-10 10:14:13,509 fail2ban.server.filter[35189]: INFO [owncloud] Found 212.xxx.xxx.xxx
2014-10-10 10:14:14,197 fail2ban.server.actions[35189]: NOTICE [owncloud] Ban 212.xxx.xxx.xxx
2014-10-10 10:14:14,248 fail2ban.server.action[35189]: ERROR ipfw table 1 add 212.xxx.xxx.xxx -- stdout: ''
2014-10-10 10:14:14,249 fail2ban.server.action[35189]: ERROR ipfw table 1 add 212.xxx.xxx.xxx -- stderr: 'ipfw: socket: Operation not permitted\n'
2014-10-10 10:14:14,250 fail2ban.server.action[35189]: ERROR ipfw table 1 add 212.xxx.xxx.xxx -- returned 69
2014-10-10 10:14:14,250 fail2ban.server.actions[35189]: ERROR Failed to execute ban jail 'owncloud' action 'ipfw-owncloud': Error banning 212.xxx.xxx.xxx
2014-10-10 10:14:20,620 fail2ban.server.filter[35189]: INFO [owncloud] Found 212.xxx.xxx.xxx
2014-10-10 10:14:32,759 fail2ban.server.filter[35189]: INFO [owncloud] Found 212.xxx.xxx.xxx
2014-10-10 10:14:39,959 fail2ban.server.filter[35189]: INFO [owncloud] Found 212.xxx.xxx.xxx
2014-10-10 10:14:40,507 fail2ban.server.actions[35189]: NOTICE [owncloud] 212.xxx.xxx.xxx already banned

When I execute the command ipfw list, then I get the same error as in the log-file: "ipfw: socket: Operation not permitted".

Hence, Fail2ban does not work correctly and it is still possible to guess the password infinitely often without banning the IP-address for a while.

Does somebody know how I can solve the permission problem of the socket?
Thank's in advance!

Best regards,
Ganimed.

NAS4Free 9.2.0.1 (revision 972) x86-full, VX800 AWRDACPI VIA C7-D Processor 1500MHz 1983MiB RAM
VIA VT6202 USB 2.0 controller VIA 83C572 USB controller IP1001, 10/100/1000 media interface

Posted: **27 Oct 2014 11:31**

Hi.

When I execute the command ipfw list, then I get the same error as in the log-file: "ipfw: socket: Operation not permitted".

Hence, Fail2ban does not work correctly and it is still possible to guess the password infinitely often without banning the IP-address for a while.

Does somebody know how I can solve the permission problem of the socket?
Thank's in advance!

Yes, you right. Jail not have full access to firewall, so , you cannot simple execute ipfw command, but I was have running fail2ban under jail and it make job very well.
So:
1. You must run fail2ban on same jail where live your ouncloud ( and ssh server, if you want it)
2. When fail2ban find ban-condition, it send letter to main server instead execute command.
3. On main server must run simple daemon, wait-on is preferable. This daemon wait letters from jail, and execute command from main server
4. I was write how to ( It was work on my working server, but when I wrote howto, I make small error, try to find where is error)

Posted: **27 Oct 2014 23:55**

Hi Alexey,

thank you for your reply and your hints!!
In the meantime I have found also another possibility by adding following line to /etc/sysctl.conf of the host:

Code: Select all

security.jail.allow_raw_sockets=1

This enables for all jails that a jail-root or an application is allowed to create raw sockets.
To restrict the access to raw sockets to only specific jails we have to add in /etc/rc.conf or in rc.conf.local follwing line(s):

Code: Select all

jail_${jailname}_parameters="allow.raw_sockets=1"

where ${jailname} must be replaced by the name of the jail. There exists an example in /etc/defaults/rc.conf.
If someone is using "TheBrig" then this can be done by adding the right part of the line to "Addition Parameters ".
After that and rebooting the Server/Jail, we have to compile a new Kernel in the jail with ipfw support.

Code: Select all

# cd /usr/src
# make buildkernel KERNCONF=IPFWKERNEL

(See also: http://www.cyberciti.biz/faq/howto-setu ... w-firewall)
Else we get following error message in the jail when calling ipfw list: "ipfw: getsockopt(IP_FW_GET): Protocol not available"

This above sounds quite nice ...
BUT doing this and enabling access to raw sockets in the jail will cause big security risks when the jail has access to the public Internet!!
An public attacker may compromise the jail and launch attacks on the host or the public network by using perl or python or other port utilities to create raw sockets!
So in my opinion this would not be a good solution.

Your solution as you have described in how_to is a good solution/compromise to avoid this security risks!
I will try it in the next days.

Posted: **28 Oct 2014 02:50**

For allow raw sockets under each jail just add into additional pararmeter value - allow.raw_sockets

After that and rebooting the Server/Jail, we have to compile a new Kernel in the jail with ipfw support.

No need.
Jails use main kernel, it have firewall support.
But Freebsd not give access to kernel for jail users - it jail, as prison.

Posted: **07 Nov 2014 21:47**

Hi Alexey,

I've used your howto to secure ownCloud and lighttpd. Now it works perfectly!! Thanks a lot!

In my case I've written my own scripts, but based on your ideas/scripts what you have posted.
In the next time I will write here a summary how I proceeded.

XigmaNAS

Fail2ban in a Jail to secure ownCloud-Server

Fail2ban in a Jail to secure ownCloud-Server

Re: Fail2ban in a Jail to secure ownCloud-Server

Re: Fail2ban in a Jail to secure ownCloud-Server

Re: Fail2ban in a Jail to secure ownCloud-Server

Re: Fail2ban in a Jail to secure ownCloud-Server