diff --git a/config/filter.d/nextcloud-auth.conf b/config/filter.d/nextcloud-auth.conf new file mode 100644 index 00000000..14d1b865 --- /dev/null +++ b/config/filter.d/nextcloud-auth.conf @@ -0,0 +1,14 @@ +# Fail2Ban filter file for Nextcloud login failures +# +# Author: Sergey G. Brester (sebres) +# Notice: Is also triggered by problems with the authentication provider, +# see https://github.com/fail2ban/fail2ban/pull/3581#issuecomment-1924903039 +# + +[INCLUDES] + +before = nextcloud-common.conf + +[Definition] + +failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: diff --git a/config/filter.d/nextcloud-common.conf b/config/filter.d/nextcloud-common.conf new file mode 100644 index 00000000..14cb001f --- /dev/null +++ b/config/filter.d/nextcloud-common.conf @@ -0,0 +1,28 @@ +# Fail2Ban common filter file for Nextcloud +# +# Author: Sergey G. Brester (sebres) +# + +[INCLUDES] +# Read common prefixes +before = common.conf + +[DEFAULT] +logging = all + +# logging prefixes +# all - universal prefix (logfile, syslog) +# logfile - logfile only +# syslog - syslog only +# Use `filter = nextcloud-auth[logging=logfile]` to get more precise regex if nextcloud logs into logfile. +# Use `filter = nextcloud-auth[logging=syslog]` to get more precise regex if nextcloud logs into syslog. +nextcloud-prefix-logfile = +nextcloud-prefix-syslog = %(__prefix_line)s +nextcloud-prefix-all = (?:%(nextcloud-prefix-syslog)s|%(nextcloud-prefix-logfile)s) + +nextcloud-prefix = > + +# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud +_groupsre = (?:(?:,?\s*"\w+":(?:"(?:[^"\\]|\\.)*"|\w+))*) + +datepattern = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" diff --git a/config/filter.d/nextcloud-domain.conf b/config/filter.d/nextcloud-domain.conf new file mode 100644 index 00000000..7d8ce4da --- /dev/null +++ b/config/filter.d/nextcloud-domain.conf @@ -0,0 +1,13 @@ +# Fail2Ban filter file for Nextcloud trusted domain errors +# +# Author: Sergey G. Brester (sebres) and eibex +# Notice: Nextcloud log level has to be configured to include infos +# + +[INCLUDES] + +before = nextcloud-common.conf + +[Definition] + +failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. diff --git a/config/jail.conf b/config/jail.conf index 5d75f4f5..c2ff07d6 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -892,6 +892,15 @@ logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility backend = %(syslog_backend)s maxretry = 1 +[nextcloud-auth] +# logpath depends on the installation +port = http,https +protocol = tcp + +[nextcloud-domain] +# logpath depends on the installation +port = http,https +protocol = tcp [oracleims] # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above diff --git a/fail2ban/tests/files/logs/nextcloud-auth b/fail2ban/tests/files/logs/nextcloud-auth new file mode 100644 index 00000000..f1ac6d56 --- /dev/null +++ b/fail2ban/tests/files/logs/nextcloud-auth @@ -0,0 +1,14 @@ +# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" } +{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"time":"2023-09-24T20:34:37+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} +# moved time to a different location which has not been observed in logs but should be matched successfully +# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" } +{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T20:34:37+00:00","version":"27.1.0.7","data":[]} +# failJSON: { "time": "2023-09-24T22:58:33.0", "match": true , "host": "141.30.226.119" } +{"reqId":"FjzPcU7QINXYX3HhwOkO","level":2,"time":"2023-09-24T20:58:33+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: \"remoteAddr\":\"127.0.0.1\" (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} +# failJSON: { "time": "2023-09-24T23:00:01.0", "match": true , "host": "141.30.226.119" } +{"reqId":"esevuyJw30I5QzJD46Yc","level":2,"time":"2023-09-24T21:00:01+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: Injection (Remote IP: 127.0.0.1) (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} +# failJSON: { "time": "2023-09-24T23:05:16.0", "match": true , "host": "141.30.226.119" } +{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} +# hypothetical output based on how quotation marks are quoted +# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" } +{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"time":"2023-09-24T20:34:37+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login\"\\","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} \ No newline at end of file diff --git a/fail2ban/tests/files/logs/nextcloud-domain b/fail2ban/tests/files/logs/nextcloud-domain new file mode 100644 index 00000000..8368a678 --- /dev/null +++ b/fail2ban/tests/files/logs/nextcloud-domain @@ -0,0 +1,10 @@ +# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" } +{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"time":"2023-09-24T21:36:46+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":{"app":"core"}} +# moved time to a different location which has not been observed in logs but should be matched successfully +# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" } +{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T21:36:46+00:00","version":"27.1.0.7","data":{"app":"core"}} +# failJSON: { "time": "2023-09-24T23:48:47.0", "match": true , "host": "141.30.226.119" } +{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}} +# hypothetical output based on how quotation marks are quoted +# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" } +{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"time":"2023-09-24T21:36:46+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/login\"\\","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":{"app":"core"}} \ No newline at end of file