Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add nextcloud-auth and nextcloud-domain filters #3581

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

add nextcloud-auth and nextcloud-domain filters #3581

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f89d58e
add nextcloud filters
Deric-W Sep 24, 2023
9ff686c
add nextcloud jails
Deric-W Sep 24, 2023
5c9fd4e
correct author
Deric-W Jan 18, 2024
dd4d80f
remove superfluous includes
Deric-W Jan 18, 2024
456b570
anchor date pattern
Deric-W Jan 18, 2024
04e8b0a
fix _groupsre not matching escape sequences
Deric-W Jan 20, 2024
55bf772
remove pointless quantifier in datepattern
Deric-W Jan 22, 2024
9c83a71
add notice about false positives
Deric-W Feb 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
14 changes: 14 additions & 0 deletions config/filter.d/nextcloud-auth.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Fail2Ban filter file for Nextcloud login failures
#
# Author: Sergey G. Brester (sebres)
# Notice: Is also triggered by problems with the authentication provider,
# see https://github.com/fail2ban/fail2ban/pull/3581#issuecomment-1924903039
#

[INCLUDES]

before = nextcloud-common.conf

[Definition]

failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
28 changes: 28 additions & 0 deletions config/filter.d/nextcloud-common.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Fail2Ban common filter file for Nextcloud
#
# Author: Sergey G. Brester (sebres)
#

[INCLUDES]
# Read common prefixes
before = common.conf

[DEFAULT]
logging = all

# logging prefixes
# all - universal prefix (logfile, syslog)
# logfile - logfile only
# syslog - syslog only
# Use `filter = nextcloud-auth[logging=logfile]` to get more precise regex if nextcloud logs into logfile.
# Use `filter = nextcloud-auth[logging=syslog]` to get more precise regex if nextcloud logs into syslog.
nextcloud-prefix-logfile =
nextcloud-prefix-syslog = %(__prefix_line)s
nextcloud-prefix-all = (?:%(nextcloud-prefix-syslog)s|%(nextcloud-prefix-logfile)s)

nextcloud-prefix = <nextcloud-prefix-<logging>>

# based on https://docs.nextcloud.com/server/27/admin_manual/installation/harden_server.html#setup-a-filter-and-a-jail-for-nextcloud
_groupsre = (?:(?:,?\s*"\w+":(?:"(?:[^"\\]|\\.)*"|\w+))*)

datepattern = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
13 changes: 13 additions & 0 deletions config/filter.d/nextcloud-domain.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Fail2Ban filter file for Nextcloud trusted domain errors
#
# Author: Sergey G. Brester (sebres) and eibex
# Notice: Nextcloud log level has to be configured to include infos
#

[INCLUDES]

before = nextcloud-common.conf

[Definition]

failregex = ^%(nextcloud-prefix)s\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
9 changes: 9 additions & 0 deletions config/jail.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -898,6 +898,15 @@ logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
backend = %(syslog_backend)s
maxretry = 1

[nextcloud-auth]
# logpath depends on the installation
port = http,https
protocol = tcp

[nextcloud-domain]
# logpath depends on the installation
port = http,https
protocol = tcp

[oracleims]
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
Expand Down
14 changes: 14 additions & 0 deletions fail2ban/tests/files/logs/nextcloud-auth
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" }
{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"time":"2023-09-24T20:34:37+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
# moved time to a different location which has not been observed in logs but should be matched successfully
# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" }
{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T20:34:37+00:00","version":"27.1.0.7","data":[]}
# failJSON: { "time": "2023-09-24T22:58:33.0", "match": true , "host": "141.30.226.119" }
{"reqId":"FjzPcU7QINXYX3HhwOkO","level":2,"time":"2023-09-24T20:58:33+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: \"remoteAddr\":\"127.0.0.1\" (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
# failJSON: { "time": "2023-09-24T23:00:01.0", "match": true , "host": "141.30.226.119" }
{"reqId":"esevuyJw30I5QzJD46Yc","level":2,"time":"2023-09-24T21:00:01+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: Injection (Remote IP: 127.0.0.1) (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
# failJSON: { "time": "2023-09-24T23:05:16.0", "match": true , "host": "141.30.226.119" }
{"reqId":"UhRm7pypikb4TpwomauV","level":2,"time":"2023-09-24T21:05:16+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: {\"reqId\":\"9SFGYOGO2ZtCkSu1glfh\",\"level\":2,\"time\":\"2023-09-24T20:34:37+00:00\",\"remoteAddr\":\"127.0.0.1\",\"user\":\"--\",\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: 127.0.0.1 (Remote IP: 127.0.0.1)\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0\",\"version\":\"27.1.0.7\",\"data\":[]} (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
# hypothetical output based on how quotation marks are quoted
# failJSON: { "time": "2023-09-24T22:34:37.0", "match": true , "host": "141.30.226.119" }
{"reqId":"9SFGYOGO2ZtCkSu1glfh","level":2,"time":"2023-09-24T20:34:37+00:00","remoteAddr":"141.30.226.119","user":"--","app":"no app in context","method":"POST","url":"/login\"\\","message":"Login failed: 127.0.0.1 (Remote IP: 141.30.226.119)","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":[]}
10 changes: 10 additions & 0 deletions fail2ban/tests/files/logs/nextcloud-domain
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" }
{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"time":"2023-09-24T21:36:46+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":{"app":"core"}}
# moved time to a different location which has not been observed in logs but should be matched successfully
# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" }
{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/apps/files/?dir=/&fileid=74","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","time":"2023-09-24T21:36:46+00:00","version":"27.1.0.7","data":{"app":"core"}}
# failJSON: { "time": "2023-09-24T23:48:47.0", "match": true , "host": "141.30.226.119" }
{"reqId":"abWxlcMf4Ligb1ZLpa1X","level":1,"time":"2023-09-24T21:48:47+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"{\"remoteAddr\":\"127.0.0.1\"}\" as host.","userAgent":"curl/7.88.1","version":"27.1.0.7","data":{"app":"core"}}
# hypothetical output based on how quotation marks are quoted
# failJSON: { "time": "2023-09-24T23:36:46.0", "match": true , "host": "141.30.226.119" }
{"reqId":"TBmJj3AI0u7Sop5ghz0c","level":1,"time":"2023-09-24T21:36:46+00:00","remoteAddr":"141.30.226.119","user":"--","app":"core","method":"GET","url":"/login\"\\","message":"Trusted domain error. \"141.30.226.119\" tried to access using \"thetwins.xyz\" as host.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0","version":"27.1.0.7","data":{"app":"core"}}