From f89d58e51cdcaab92da1648e068fc9bea3f1318d Mon Sep 17 00:00:00 2001 From: Eric Wolf Date: Mon, 25 Sep 2023 00:29:52 +0200 Subject: [PATCH] add nextcloud filters The filters are based on the one in the hardening guide but split to allow different jails. --- config/filter.d/nextcloud-auth.conf | 18 ++++++++++++++++++ config/filter.d/nextcloud-domain.conf | 19 +++++++++++++++++++ fail2ban/tests/files/logs/nextcloud-auth | 11 +++++++++++ fail2ban/tests/files/logs/nextcloud-domain | 7 +++++++ 4 files changed, 55 insertions(+) create mode 100644 config/filter.d/nextcloud-auth.conf create mode 100644 config/filter.d/nextcloud-domain.conf create mode 100644 fail2ban/tests/files/logs/nextcloud-auth create mode 100644 fail2ban/tests/files/logs/nextcloud-domain diff --git a/config/filter.d/nextcloud-auth.conf b/config/filter.d/nextcloud-auth.conf new file mode 100644 index 00000000..d20011b8 --- /dev/null +++ b/config/filter.d/nextcloud-auth.conf @@ -0,0 +1,18 @@ +# Fail2Ban filter file for Nextcloud login failures +# +# Author: Eric Wolf +# + +[INCLUDES] + +# Read common prefixes +before = common.conf + +after = nextcloud-auth.local + +[Definition] + +# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud +_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) +failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: +datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file diff --git a/config/filter.d/nextcloud-domain.conf b/config/filter.d/nextcloud-domain.conf new file mode 100644 index 00000000..2133a107 --- /dev/null +++ b/config/filter.d/nextcloud-domain.conf @@ -0,0 +1,19 @@ +# Fail2Ban filter file for Nextcloud trusted domain errors +# +# Author: Eric Wolf +# Notice: Nextcloud log level has to be configured to include infos +# + +[INCLUDES] + +# Read common prefixes +before = common.conf + +after = nextcloud-domain.local + +[Definition] + +# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud +_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) +failregex = ^%(__prefix_line)s?\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. +datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file diff --git a/fail2ban/tests/files/logs/nextcloud-auth b/fail2ban/tests/files/logs/nextcloud-auth new file mode 100644 index 00000000..c4440e9d --- /dev/null +++ b/fail2ban/tests/files/logs/nextcloud-auth @@ -0,0 +1,11 @@ +# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" } +{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"time":"2023-09-24T20:34:37+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} +# moved time to a different location which has not been observed in logs but should be matched successfully +# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" } +{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T20:34:37+00:00","version":"27.1.0.7","data":[]} +# failJSON: { "time": "2023-09-24T22:58:33.0", "match": true , "host": "141.30.226.119" } +{"reqId":"FjzPcU7QINXYX3HhwOkO","level":2,"time":"2023-09-24T20:58:33+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: \"remoteAddr\":\"127.0.0.1\" (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} +# failJSON: { "time": "2023-09-24T23:00:01.0", "match": true , "host": "141.30.226.119" } +{"reqId":"esevuyJw30I5QzJD46Yc","level":2,"time":"2023-09-24T21:00:01+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: Injection (Remote IP: 127.0.0.1) (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} +# failJSON: { "time": "2023-09-24T23:05:16.0", "match": true , "host": "141.30.226.119" } +{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]} \ No newline at end of file diff --git a/fail2ban/tests/files/logs/nextcloud-domain b/fail2ban/tests/files/logs/nextcloud-domain new file mode 100644 index 00000000..16654674 --- /dev/null +++ b/fail2ban/tests/files/logs/nextcloud-domain @@ -0,0 +1,7 @@ +# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" } +{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"time":"2023-09-24T21:36:46+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":{"app":"core"}} +# moved time to a different location which has not been observed in logs but should be matched successfully +# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" } +{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T21:36:46+00:00","version":"27.1.0.7","data":{"app":"core"}} +# failJSON: { "time": "2023-09-24T23:48:47.0", "match": true , "host": "141.30.226.119" } +{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}} \ No newline at end of file